Implementing proactive monitoring with KQL query alerts with Activator
Driving actions from real-time organizational data is important for making informed data-driven decisions and improving overall efficiency. By leveraging data effectively, organizations can gain insights into customer behaviour, operational performance, and market trends, enabling them to respond promptly to emerging issues and opportunities.
Setting alerts on KQL queries can significantly enhance this proactive approach, especially in scenarios such as customer support. For instance, by monitoring key metrics like response times, ticket volumes, and satisfaction scores, support teams can identify patterns and anomalies that may indicate underlying problems.
Using Activator to set alerts on KQL Queries
Contoso Retailers, a fictitious company, wants to implement a proactive monitoring system by setting alerts on their KQL queries. This will enable them to actively monitor their customer support tickets, for order transactions or customer accounts etc., and drive timely actions based on their real-time data. For example, when the number of unresolved high-priority tickets exceeds a predefined threshold, an alert is immediately triggered. This alert notifies the support team to prioritize these tickets, ensuring that critical issues are addressed promptly.
1 – Drive actions from KQL Queries
Before you can set alerts on a KQL query, you need to create an Eventhouse and create an Eventstream that will enable you to stream real-time data into your KQL database. You can learn more about how to Create an eventhouse and how to Create an evenstream from our documentation.
When an eventstream is created, a default child KQL database is also created and can be used to stream data into. This database also has a default KQL queryset that you can use to check if your data is being streamed into the database.
RawData
| take 10For this requirement, you need to define a rule logic to check if the number of unresolved high-priority tickets exceeds 10 within an hour. You can run a KQL query that will return the results and select which fields you will send with the alert. For example:
TransformedData
| where Status == "Unresolved"
| where CreatedDate < ago(1h)
| summarize UnresolvedCount = count() by IssuePriority, IssueCategory
| render columnchartNext, you need to set an alert on the KQL query you just ran. Inside the query editor, you can select the Set an alert option and then define the frequency you want the alert to run and how it will be triggered by setting the condition to check if the count of unresolved tickets exceeds 10 and is high priority. Also provide details once the rule has been triggered.
Some things to consider when setting an alert on a KQL query, if your query does not have the render [your chosen chart] line your alert will trigger on each event on your data but if you have that line, the alert will trigger on each event grouped by your chosen field – in this case IssuePriority.
Lastly, provide the details for the Action by choosing Teams as the way to send the alert.
For complex logic, you can view and manage the alert in the Activator UI to monitor the activation history and dig into the data that triggered the aler .
In the Activator UI you can use additional actions, and rather than just alerting based on the set condition on this query, you can kick off a data pipeline or run a custom Power Automate flow with additional logic.
Additionally, you can create a Real-Time dashboard so you can visualize the results of the query. You can select Pin to Dashboard then provide the dashboard details like Tile name and Dashboard name. 
Note: This dashboard can be edited to add more tiles with visualizations to help Contoso retailers to meet the goals.
The query used for this requirement had UnresolvedCount as a variable and IssuePriority & IssueCategory as fields, these three will be the only fields passed through to the alert and you may not be able to use other fields when further configuring the alert. If you want to pass more fields to the alert, you will need to include them in the KQL query as well.
This is one of the ways of how would drive actions from a KQL queries using Activator, there are other use cases like Quality Control Manufacturing, Customer Service, Application Logs Monitoring etc.
Resources
Stream data into Microsoft Fabric with Real-Time Intelligence
Create and activate an Activator rule tutorial
