Microsoft Foundry in Practice

Querying Foundry Logs in Log Analytics

Once diagnostic logs flow into a Log Analytics workspace, KQL turns raw Claude request records into answers about tokens, latency, throttling, and refusals. The trick is knowing which signal lives in which log.

Claude 3P 101 · Updated July 2026 · Unofficial guide

Log Analytics is Azure Monitor's query layer: logs land in workspace tables, and you interrogate them with the Kusto Query Language (KQL) — a pipeline-style language where each line filters, summarizes, or reshapes the rows from the previous one. With diagnostic settings routing your Foundry resource's logs to a workspace, the platform side of every Claude call becomes queryable history. This article maps the questions you will actually ask to the data that can answer them — and is candid about which answers need your own application logs instead.

Know your schema before writing queries

Microsoft's Claude-specific documentation does not publish the exact table and column schema that Foundry resource logs produce, and schemas differ across Azure services and log categories. So step one is empirical: open your workspace, look at the tables your diagnostic setting is populating, and inspect a few rows. Build your saved queries against what you find, not against column names copied from another service's tutorial. The patterns below describe the analysis; the identifiers come from your workspace.

The four analyses that earn their keep

QuestionKQL patternData source
Error and throttle rateFilter to your resource, bucket by status code, summarize count() by bin(time, 5m)Platform request logs
Latency percentilessummarize percentiles(duration, 50, 95, 99) per deployment per hourPlatform request logs
Token usage and cost driversSum input/output/cache tokens by model, team, or featureYour application logs (the API usage object)
Refusal trackingCount responses with stop_reason == "refusal", by categoryYour application logs

The split in the last column is the important lesson. Platform logs see the HTTP envelope — timing, status, caller. Only your application sees the response body, and that body carries the two richest signals: the usage object (authoritative input, output, and cache token counts per request) and the stop_reason. If you ingest your application logs into the same workspace (via Application Insights or a custom table), one KQL query can join both worlds through the request-id and apim-request-id headers Foundry returns on every response.

A minimal structured log line from Python gives KQL everything it needs:

import json, logging
from anthropic import AnthropicFoundry

client = AnthropicFoundry(api_key="...", resource="example-resource")
msg = client.messages.create(
    model="claude-sonnet-5",
    max_tokens=1024,
    messages=[{"role": "user", "content": "Summarize this ticket..."}],
)
logging.info(json.dumps({
    "model": "claude-sonnet-5",
    "stop_reason": msg.stop_reason,
    "input_tokens": msg.usage.input_tokens,
    "output_tokens": msg.usage.output_tokens,
}))

About "content-filter hits"

Teams coming from Azure OpenAI often look for content-filter log entries. For Claude, Foundry works differently: Microsoft states that Foundry provides no built-in content filtering for Claude models at deployment time — Claude deployments rely on Anthropic's safety systems, and customers configure any additional content safety during inference themselves. The queryable safety signal is therefore the model's own refusal behavior. On Claude Fable 5, safety-classifier refusals return HTTP 200 with stop_reason: "refusal" — invisible to a status-code query, which is exactly why logging stop_reason application-side matters. A rising refusal rate is worth an alert: it usually means a prompt change, a misbehaving upstream input, or users probing limits.

Rule of thumb: platform logs answer "is the service healthy?"; application logs answer "what is the model doing and what does it cost?". Ingest both into one workspace and join on request-id.

From ad-hoc queries to operational routine

Once the first queries prove useful, promote them: save the error-rate and latency queries as workspace functions so every engineer runs the same definition, pin the results to a shared dashboard, and convert the two or three that matter most into log-based alert rules — a sustained rise in 429s or refusals is worth a page, not a weekly discovery. Keep an eye on workspace cost as well: Log Analytics bills by ingested volume, and a chatty Claude workload can generate more platform log data than you expect. Scope queries to tight time ranges by default, and revisit which log categories you actually query after the first month — anything nobody has queried is a candidate for cheaper storage-account retention instead (see choosing a diagnostic-log destination).

Where to go next

For the metrics-and-alerts side of the same telemetry, see monitoring Foundry with Azure Monitor; for turning the token numbers into dollars, see analyzing Foundry spending.

Sources