You dont have javascript enabled! Please enable it!

Get Azure VM Insights and Performance using KQL

4 Min. Read

Azure virtual machines (VMs) compute instances can run on demand. You can use them like servers deployed on-premises, operating systems and applications, or containerized workloads. Monitoring operating systems performance for Azure VMs is one of the core critical elements of your day-to-day operations.

In this article, we will show you how to get Azure VM insights and performance using KQL queries.


VM insights include a performance set that targets several key performance indicators (KPIs) to help you determine how well an Azure virtual machine is performing.

While there are numerous elements to consider when dealing with performance, VM insights monitor key operating system performance indicators related to the processor, memory, network adapter, and disk utilization. VM insights performance complements the health monitoring feature. It helps you to expose issues that indicate a possible system component failure, support tuning, and optimization to achieve efficiency or support capacity planning.

If you already have VM insights configured, then you could view the performance chart directly from an Azure VM or for multiple VMs in the Azure portal as described by Microsoft.

The purpose of this article is to use KQL queries to find disk drive free space, free available memory, CPU utilization, and network bandwidth of all the Azure VMs without logging into every server or using the VM insights chart.


To follow this article, you need to have the following:

1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.

2) Azure Resource Group (RG).

3) At least one supported operating system (x64) is deployed in the desired RG. Please check the following table lists for the supported operating systems for update assessments and patching.

4) Log Analytics Workspace. Check the following article on how to create a Log Analytics workspace.

5) Enable VM insights to monitor the performance of your Azure VM. Check the following article to configure the Log Analytics workspace for VM insights. To configure a single workspace for all your VMs, go to the Virtual Machines blade under Insights in the Azure Monitor menu, select Configure Insights, in the Not monitored tab as shown in the figure below, and select a subscription, a workspace and then click Configure.

Configure Azure VM Insights
Configure Azure VM Insights

You could also use Azure Policy to ensure all VMs and VM Scale Sets in your subscriptions and resource groups are configured for monitoring automatically.

Assuming you have all the prerequisites in place, take now the following steps:

KQL Query CPU Utilization

Open the log analytics workspace and run the following query. You can run the query in Azure Monitor or Azure VM Logs or Log Analytics Workspace.

| where Origin == ""
  and Namespace == "Processor"
  and Name == "UtilizationPercentage"
| extend CPU=tostring(todynamic(Tags)[""])
| summarize CPU_Load_Percentage = avg(Val) by Computer, CPU, _ResourceId
| project Computer, Total_vCPUs=CPU, CPU_Load_Percentage

This query returns the result of Select Computer from Scope, the total CPU set on the VM, and CPU load in Percentage.

KQL Query CPU Utilization in Percentage
KQL Query CPU Utilization in Percentage

We have blur-boxed the Computer values for obvious reasons.

KQL Query Free Disk Space

To get the free disk space in GB for all Azure VMs, run the following query:

| where Origin == ""
  and Namespace == "LogicalDisk" 
  and Name == "FreeSpaceMB"
| extend Disk=tostring(todynamic(Tags)[""]),
| summarize Disk_Free_Space_GB = avg(Val)/(1024) by Computer, 
  Disk, Disk_Size_GB, _ResourceId 
| project Computer, Disk, Disk_Size_GB, Disk_Free_Space_GB

This query returns the result of Select Computer from Scope, all disks for each computer, the disk size, and the free disk space in GB.

KQL Query Free Disk Space
KQL Query Free Disk Space

KQL Query Free Available Memory

To get the free available memory in GB for all Azure VMs, run the following query:

| where Origin == "" and Namespace == "Memory"
| extend TotalMemoryGB=(todynamic(Tags)[""])/(1000)
| summarize FreeMemoryGB = avg(Val)/(1000) by Computer, TotalMemoryGB, _ResourceId
| project Computer, TotalMemoryGB, FreeMemoryGB

This query returns the result of Select Computer from Scope, the total memory set on the VM, and the free memory available in GB.

KQL Query Free Available Memory
KQL Query Free Available Memory

KQL Query Network Bandwidth

To get the network bandwidth in MB (In and Out) for all Azure VMs, run the following query:

| where Origin == "" and Namespace == "Network"
| extend NIC_Name=tostring(todynamic(Tags)[""])
| summarize NIC_Bandwidth_MB = avg(Val)/(1024/1024) by Computer, NIC_Name, Name
| project Computer, NIC_Name, ReadReceived_WriteSent=Name, NIC_Bandwidth_MB

This query returns the result of Select Computer from Scope, the Network Interface Name, the bandwidth (Read=Received=In) and (Write=Sent=Out), and the consumed bandwidth in MB for each NIC in any direction.

KQL Query Network Bandwidth
KQL Query Network Bandwidth

That’s it! This was a simple way to check the CPU utilization in percentage, available disk space, available memory, and network bandwidth on all Azure VMs using KQL.


In this article, we discussed how to monitor Azure virtual machines’ performance using KQL. All those queries will work on Windows and Linux virtual machines.

You can use them to check resource utilization over a period of time so you can identify bottlenecks, and anomalies, or switch to a perspective listing each machine to view resource utilization based on the metric selected.

Then you can create alert rules for your virtual machines and their guest operating systems. Alerts in Azure Monitor proactively notify you of interesting data and patterns in your monitoring data. There are no preconfigured alert rules for virtual machines, but you can create your own based on data collected by VM insights and KQL.

Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect, Swiss Certified ICT Security Expert, Certified Cloud Security Professional (CCSP), Certified Information Security Manager (CISM), Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT). He has over 20 years of broad IT experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems with extensive practical knowledge of complex systems build, network design, business continuity, and cloud security.

Related Posts


Passing the Azure Network Security Ninja Training

Cloud Security Pen Testing: Everything You Need to Know


Let me know what you think, or ask a question...

error: Alert: The content of this website is copyrighted from being plagiarized! You can copy from the 'Code Blocks' in 'Black' by selecting the Code. Thank You!