Automate Your Log Analytics Workflows with AI and Logic Apps

In this post, we’ll demonstrate how to build a simple yet powerful workflow using Azure Logic Apps, Log Analytics queries, and LLMs to automate log analysis, save time, and spot issues faster.

While we focus here on an example using Application Insights data with Azure OpenAI, the same approach can be applied to any Log Analytics source - whether raw logs, security events, or custom logs. By customizing your queries and AI prompts to match your data and the model’s capabilities, you can easily adapt this workflow to meet your specific needs.

Note: This blog post offers guidance for automating workflows with Log Analytics data and LLMs using existing Azure Monitor products. It’s intended as a flexible approach based on user needs and preferences, providing an additional option alongside other Microsoft experiences, such as Azure Monitor issues and investigations (preview).

Application Insights as a Use Case

Imagine you’re an Application Insights user relying on the AppTraces table - detailed logs of events, errors, and critical traces. You need to spot hour-over-hour spikes or drops, identify operations causing the most issues, and detect recurring patterns or keywords that reveal deeper problems. These insights help turn raw data into actionable information.

Running queries and analyzing logs regularly is essential, and automation offers a way to make this process more efficient. This saves time and helps you focus on the most impactful insights - so you can quickly move on to what matters next.

With Azure Logic Apps, you can create a recurring workflow that automatically runs your Log Analytics queries, sends the summarized results to Azure OpenAI for analysis, and delivers a clear, actionable report straight to your inbox on your preferred schedule.

From Logs to Insights: Step-by-Step AI Workflow

1. Create a Logic App 

• Go to the Azure Portal and create a new Logic App. 
• Open the Logic App Designer to start building your workflow. 
• Helpful resource: Overview - Azure Logic Apps | Microsoft Learn 

2. Set a Trigger

• Add a trigger to start your flow - for this scenario, we recommend using the Recurrence trigger to schedule it on a weekly basis (or any frequency you prefer). Of course, you can choose other triggers depending on your specific needs. 

3. Query Your Log Analytics Data 

• Add the Azure Monitor Logs - “Run query and list results” connector to your Logic App. 
• Connect it to your Log Analytics workspace (or another relevant resource). 
• Write a Kusto Query Language (KQL) query to pull data from Log Analytics Tables. 
• In our example, the query retrieves aggregated error-level (SeverityLevel = 3) and critical-level (SeverityLevel = 4) traces from the last week, grouped by hour and operation name, with three sample messages for context. This not only shows the number of errors, when they occurred, and which operations were most affected, but also gives the LLM in the next step a solid foundation for uncovering deeper insights and trends.
• The query: 

  • AppTraces  
    | where TimeGenerated > startofday(ago(7d))  
    | where SeverityLevel in (3, 4) // Error = 3, Critical = 4 
    | summarize TracesCount = count(), SampleMessages = make_list(Message, 3) by bin(TimeGenerated, 1h), SeverityLevel, OperationName 
    | order by TimeGenerated asc 

• Tip: Log datasets can be huge - use the summarize operator to aggregate results and reduce the volume for the AI model. 
• Helpful resource: Connect to Log Analytics or Application Insights - Azure Logic Apps | Microsoft Learn

4. Prerequisite - Azure OpenAI Resource Configuration 

• Make sure you have an Azure OpenAI resource set up and an AI model (e.g., GPT-4) deployed before continuing with your workflow. 
• Helpful resource: What is Azure OpenAI in Azure AI Foundry Models? | Microsoft Learn 

5. Analyze and Summarize with Azure OpenAI

• In Logic Apps, add an HTTP action and set all the parameters to call the OpenAI API endpoint. 

• Pass the query results from the previous step (step 3) as input and instruct the OpenAI model to: 
  • Summarize key findings - for example, the total number of errors and critical events, and identify the top operations generating the most issues. 
  • Highlight anomalies or trends - such as trends and spikes in errors over time (hour-by-hour), and detection of recurring error patterns or keywords. 
  • Provide recommendations prioritized by urgency to guide the next steps.
  • Format the output in HTML for easy email rendering. 
• Tip: The body structure sent to the AI includes both System and User rules, formatted together as one string (see below).
• Helpful resource: How to use Assistants with Logic apps - Azure OpenAI | Microsoft Learn 

• Here’s the prompt example:

"messages": [ 
{ "role": "system", 
"content": "You are an Azure AI tool that creates a weekly report based solely on this prompt and input JSON data from Log Analytics. The input is a list of records, each with these fields: TimeGenerated (ISO 8601 timestamp string), SeverityLevel (integer, where 3=Error, 4=Critical), OperationName (string), TracesCount (integer), SampleMessages (JSON string representing a list of up to 3 messages). Your tasks: 1) Sum the TracesCount values accurately to provide total counts for the entire week and broken down by day and SeverityLevel. 2) Present TracesCount counts per OperationName, grouped by hour and day with severity-level breakdowns. 3) Identify and list the top 10 OperationNames by combined Error and Critical TracesCount for the week, including up to 3 unique sample messages per OperationName, removing duplicates. 4) Compare TracesCount hour-by-hour and day-by-day, calculating percentage changes and highlighting spikes (>100% increase) and significant drops. 5) Detect any new OperationNames appearing during the week that did not appear before. 6) Highlight recurring Errors and Critical issues based on keywords: timeout, exception, outofmemory, connection refused. 7) Assign urgency levels based on frequency, impact, and trends. 8) Provide clear, prioritized recommendations for resolving the main issues. Format your output as valid inline-styled HTML using only these tags: <h2>, <h3>, <p>, <ul>, <li>, and <hr>. Include these report sections in this order: Executive Summary, Weekly Totals and Daily Breakdown, Hourly and Daily Trend Comparison, New & Emerging OperationNames, Detailed Operation Errors, Data Quality & Confidence, Recommendations. Include an opening title with the report’s time period."  }, 
{  "role": "user", 
"content": "string(outputs('Run_query_and_list_results'))" }  ] } 

6. Send the Report via Email

• Use the Send an email (V2) connector, or another endpoint connector, such as Teams. 
• Send the AI-generated report to your team, stakeholders, or yourself. 
• Customize the email subject, body, and importance level as needed.

Section of the final email report:

Important reminder: Once your flow is ready, enable it in Logic Apps to ensure it starts running according to the schedule.

Key Takeaways 

By combining Azure Logic Apps, Log Analytics, and Azure OpenAI, you can turn raw, complex logs into clear, actionable insights - automatically. This workflow helps reduce manual analysis time and enables faster responses to critical issues.

Ready to try? Build your own automated log insights workflow today and empower your team with AI-driven clarity.