What Is Real-Time Intelligence in Microsoft Fabric?
Real-Time Intelligence (RTI) is a workload within Microsoft Fabricthat enables organizations to ingest, process, analyze, and act on high-velocity streaming data in near real time. Rather than waiting hours for batch pipelines to deliver data to your analytics layer, RTI processes events as they arrive — typically within 2 to 30 seconds of generation.
RTI solves a problem I see in almost every enterprise I consult with: the gap between “data happened” and “someone can see it.” Manufacturing plants need to know about equipment anomalies now, not tomorrow morning. Financial institutions need to detect fraud while the transaction is still processing. Healthcare systems need to monitor patient vitals and alert staff before a critical threshold is breached.
The four core components of Real-Time Intelligence are:
- 1.Eventstream — Ingests streaming data from sources like Azure Event Hubs, IoT Hub, Kafka, and database CDC, then transforms and routes it to destinations.
- 2.KQL Database — Stores and queries time-series and streaming data using Kusto Query Language, optimized for high-throughput analytical queries on billions of records.
- 3.Real-Time Dashboard — Auto-refreshing visual dashboards that query KQL Databases and display live operational metrics with refresh intervals as low as 10 seconds.
- 4.Data Activator — A trigger-based alerting engine that monitors streaming data for conditions and automatically fires notifications via email, Teams, or Power Automate workflows.
If your organization already has a Fabric capacity (F2 or above) or a Power BI Premium capacity, you have access to Real-Time Intelligence today with no additional license required. All four components run on your existing Fabric Capacity Units.
Before vs. After: Why Real-Time Intelligence Changes Everything
Most organizations I work with are running some version of the “before” column. They have batch pipelines that refresh data warehouses overnight, Power BI reports that show yesterday’s data, and manual processes for detecting anomalies. Here is what changes when you implement Real-Time Intelligence:
| Capability | Before RTI (Traditional) | With Fabric RTI |
|---|---|---|
| Data freshness | Hours to days (batch refresh) | 2-30 seconds (streaming) |
| Anomaly detection | Manual review of reports | Automated via Data Activator triggers |
| Infrastructure | Multiple Azure services to manage | Single Fabric workspace (SaaS) |
| Query language | T-SQL on data warehouse | KQL optimized for time-series |
| Dashboard refresh | Scheduled (every 15-60 min) | Auto-refresh every 10 seconds |
| Alerting | Power Automate polling on schedule | Data Activator real-time triggers |
| Licensing | Separate Azure + Power BI licenses | Included in Fabric capacity |
| Data pipeline complexity | ADF + Event Hubs + Stream Analytics + SQL | Eventstream (single component) |
Architecture Overview: How Data Flows Through Real-Time Intelligence
Understanding the data flow is critical before you start building. In my experience deploying RTI for Fortune 500 clients, the architecture follows a consistent pattern that I call the “Source-Stream-Store-Surface-Act” pipeline:
Source (Data Producers)
IoT sensors, application logs, database CDC streams, Kafka topics, Event Hubs, custom applications publishing via SDK
Stream (Eventstream)
Ingests events, applies transformations (filter, aggregate, manage fields, group by, union), routes to one or more destinations
Store (KQL Database)
Persists streaming data in a columnar store optimized for time-series queries, supports retention policies, materialized views, and functions
Surface (Real-Time Dashboard / Power BI)
Auto-refreshing dashboards that execute KQL queries and render live visualizations, or Power BI reports connected via DirectQuery
Act (Data Activator)
Monitors data for conditions and triggers alerts via email, Teams, or Power Automate when thresholds are breached
The beauty of this architecture is that Eventstream can simultaneously route data to multiple destinations. A single Eventstream can send raw events to a KQL Database for real-time querying, a Lakehouse for long-term storage and batch analytics, and a Data Activator trigger for alerting — all from the same incoming stream. This eliminates the need to duplicate pipelines or manage multiple ingestion paths.
Everything lives within a single Fabric workspace. There are no separate Azure resource groups to manage, no networking configurations to troubleshoot, and no cross-service authentication to set up. This is a massive reduction in operational complexity compared to the traditional Azure architecture of Event Hubs + Stream Analytics + Azure Data Explorer + Power BI.
Eventstream Deep Dive: Ingestion, Transformation, and Routing
Eventstream is the entry point for all streaming data into Fabric Real-Time Intelligence. Think of it as a visual, low-code pipeline builder specifically designed for streaming scenarios. Having deployed Eventstreams for clients processing millions of events per hour, I can tell you this is where most of the architectural decisions happen.
Supported Sources
Eventstream connects to a wide range of data producers. Here are the source categories and specific connectors available as of March 2026:
Messaging & Streaming
- Azure Event Hubs
- Azure IoT Hub
- Apache Kafka (self-hosted or Confluent)
- Amazon Kinesis Data Streams
- Custom App (SDK-based publishing)
Change Data Capture (CDC)
- Azure SQL Database CDC
- SQL Server on VM CDC
- PostgreSQL CDC
- MySQL CDC
- Azure Cosmos DB CDC
Fabric-Native
- Fabric Workspace Events
- Sample Data (for testing)
- Azure Blob Storage Events
External via REST API
- Any HTTP-capable application
- Webhooks from SaaS platforms
- Custom microservices
In-Stream Transformations
Before data reaches its destination, Eventstream can transform events in-flight. This is critical for reducing storage costs and improving query performance. The available transformations include:
- Filter:Remove events that do not meet specified criteria. For example, filter out sensor readings below a noise threshold or exclude test transactions from production streams.
- Manage Fields:Add, remove, or rename fields in the event payload. Use this to drop sensitive PII fields before storage or add computed fields like timestamps and region codes.
- Aggregate:Compute windowed aggregations (tumbling, hopping, session windows) over streaming data. Calculate metrics like average temperature per 5-minute window or transaction count per minute.
- Group By:Partition the stream by a key field (device ID, region, customer segment) for downstream processing and aggregation.
- Union:Merge multiple source streams into a single output stream. Useful when combining events from different IoT device types or regional event hubs into one unified stream.
- Expand:Flatten nested arrays within event payloads into individual records, which is common when IoT devices batch multiple readings into a single message.
Destinations
Eventstream supports multiple simultaneous destinations. This is one of the most powerful aspects of the architecture — you can fan out a single stream to multiple targets without duplicating infrastructure:
- KQL Database — Primary destination for real-time querying and dashboards
- Lakehouse — Long-term storage in Delta Parquet format for batch analytics and data analytics
- Data Warehouse — Structured storage for SQL-based analytics
- Custom App — Forward events to external applications via SDK
- Derived Eventstream — Chain Eventstreams together for complex processing topologies
- Reflex (Data Activator) — Direct routing to alerting triggers
KQL Database: High-Performance Querying for Streaming Data
The KQL Database is the analytical engine of Real-Time Intelligence. Built on the same technology as Azure Data Explorer (Kusto), it is purpose-designed for querying massive volumes of time-series, log, and telemetry data. Where a traditional SQL data warehouse might struggle with ad-hoc queries across billions of rows of time-stamped event data, a KQL Database handles this natively with sub-second query performance.
Understanding Kusto Query Language (KQL)
KQL uses a pipe-based syntax that reads top-to-bottom, left-to-right. Every query starts with a table name and flows through a series of operators separated by the pipe character. Here is how common SQL operations map to KQL:
| SQL Operation | KQL Equivalent | Example |
|---|---|---|
| SELECT columns | project | | project DeviceId, Temperature |
| WHERE condition | where | | where Temperature > 90 |
| GROUP BY + aggregation | summarize | | summarize avg(Temp) by DeviceId |
| ORDER BY | sort by | | sort by Timestamp desc |
| TOP / LIMIT | take | | take 100 |
| Computed column | extend | | extend TempF = Temp * 1.8 + 32 |
| DISTINCT | distinct | | distinct DeviceId |
| JOIN | join | | join kind=inner (Table2) on Key |
Time-Series Functions That Have No SQL Equivalent
KQL’s real power shows when you need time-series analysis. These built-in functions make operations that would require complex SQL window functions or external tools trivial:
- bin() — Groups timestamps into fixed intervals (bin(Timestamp, 5m) groups by 5-minute buckets)
- ago() — Relative time references (where Timestamp > ago(1h) gets the last hour of data)
- make-series — Creates time-series arrays for trend analysis and anomaly detection
- series_decompose_anomalies() — Built-in anomaly detection on time-series data
- render — Inline visualization of query results (timechart, barchart, piechart)
- startofday(), startofweek(), startofmonth() — Calendar-aware time bucketing
- prev(), next() — Access adjacent rows without window function overhead
Retention Policies and Materialized Views
KQL Databases support configurable retention policies that automatically purge data older than a specified period. For most real-time monitoring scenarios, I recommend a 30 to 90-day retention in the KQL Database (hot/warm tier for fast queries) with Eventstream simultaneously routing raw data to a Lakehouse for long-term cold storage. This keeps your KQL Database lean and query performance fast.
Materialized views are pre-computed aggregations that update incrementally as new data arrives. Instead of re-computing a “daily average temperature per device” query over the entire dataset each time, a materialized view maintains the running aggregation and updates it with each new batch of ingested data. This dramatically reduces query cost for frequently-accessed summary metrics.
Real-Time Dashboards: Live Operational Visualizations
Real-Time Dashboards in Fabric are purpose-built for operational monitoring scenarios where data freshness is measured in seconds, not hours. They are distinct from standard Power BI dashboards in several important ways.
Key Differences from Standard Power BI Dashboards
| Feature | Power BI Dashboard | Real-Time Dashboard |
|---|---|---|
| Data source | Semantic model (Import/DirectQuery) | KQL Database (direct KQL queries) |
| Refresh rate | Scheduled (min 15 min for Import) | Auto-refresh every 10 seconds |
| Query language | DAX / M | KQL |
| Best for | Business analytics, reporting | Operational monitoring, NOC screens |
| Parameters | Slicers and filters | KQL parameters with dropdowns |
| Authoring | Power BI Desktop / Service | Fabric portal (browser-based) |
Real-Time Dashboards support tiles, which are individual visual components backed by KQL queries. Each tile can have its own query, refresh interval, and conditional formatting. You can create tiles for time charts, bar charts, tables, stat cards, maps, and more. Parameters allow dashboard consumers to filter data dynamically — for example, selecting a specific device ID, region, or time range.
For organizations that want to combine real-time and historical data, I recommend a hybrid approach: Real-Time Dashboards for operational monitoring (displayed on wall-mounted screens in NOCs or factory floors) and standard Power BI reports for business analytics and executive reporting. Both can source data from the same KQL Database.
Data Activator: Automated Alerting and Action Engine
Data Activator is the component that transforms Real-Time Intelligence from a passive monitoring system into an active response system. Instead of relying on someone watching a dashboard, Data Activator continuously evaluates conditions against your streaming data and triggers actions automatically.
How Data Activator Works
The workflow is straightforward. You create a Reflex item in your Fabric workspace, connect it to a data source (Eventstream, KQL Database query results, or a Power BI visual), define a trigger condition, and specify an action. Data Activator evaluates the trigger continuously and fires the action when the condition is met.
Trigger conditions can be simple thresholds (temperature exceeds 200 degrees), rate-of-change detections (value increases by more than 10% within 5 minutes), absence conditions (no data received from device in 15 minutes), or compound conditions combining multiple criteria.
Available actions include:
- Email notification — Send formatted email alerts to specified recipients with dynamic content from the triggering event
- Microsoft Teams message — Post alerts to Teams channels or direct messages for immediate team visibility
- Power Automate flow — Trigger any Power Automate workflow, enabling integration with hundreds of external systems (ServiceNow tickets, Slack messages, Twilio SMS, database updates, and more)
Enterprise Use Cases for Data Activator
- Stock price thresholds: Alert portfolio managers when a tracked security drops below a defined price or volatility threshold
- IoT anomaly detection: Notify maintenance teams when equipment sensor readings deviate from normal operating ranges
- SLA breach prevention: Escalate to management when service response times approach contractual SLA limits
- Patient vital monitoring: Alert clinical staff when patient telemetry exceeds safe parameters in HIPAA-compliant healthcare environments
- Inventory reorder points: Trigger procurement workflows when real-time inventory levels drop below reorder thresholds
5 Enterprise Use Cases for Real-Time Intelligence
These are architectures I have designed or reviewed for enterprise clients. Each demonstrates a different pattern for deploying Fabric Real-Time Intelligence at scale.
1. IoT Manufacturing Monitoring
Scenario:A Fortune 500 manufacturing client with 5,000+ sensors across 12 production lines generating temperature, vibration, pressure, humidity, and throughput readings every 2 seconds — approximately 150,000 events per minute.
Architecture: We deployed our Real-Time Operations Intelligence Blueprintfor this client. Sensors publish to Azure IoT Hub via MQTT protocol, which feeds into Fabric Eventstream. Eventstream applies a filter transformation to remove noise (readings within normal operating range), computes 30-second rolling averages for trend detection, routes anomalous readings to a KQL Database, and simultaneously sends all raw data to a Lakehouse for historical analysis and ML model training. A Real-Time Dashboard on factory floor screens shows live equipment status across all 12 lines with OEE (Overall Equipment Effectiveness) calculations updating every 10 seconds. Data Activator triggers are configured for three severity levels: yellow (warning via Teams), orange (escalation to shift supervisor via email), and red (automatic production line pause via Power Automate integration with the plant’s SCADA system).
Key Metrics Tracked: OEE per production line, Mean Time Between Failures (MTBF), Mean Time To Repair (MTTR), energy consumption per unit produced, defect rate per line, and vibration trend analysis for predictive maintenance scoring.
Result: Unplanned downtime reduced by 35% in the first 90 days. Mean time to respond to equipment anomalies dropped from 45 minutes to under 3 minutes. OEE improved from 72% to 85%. Annual savings of $1.2M from predictive maintenance alone, with an additional $400K saved through energy optimization insights. Full ROI achieved within 5 months of deployment. See our IoT Operations Dashboard Blueprint section below for the detailed framework we used.
2. Financial Fraud Detection
Scenario: A financial services firm processing 50,000+ transactions per minute needs to detect and flag suspicious patterns within seconds.
Architecture: Transaction events flow from the payment processing system to Azure Event Hubs, then into Eventstream. Eventstream enriches transactions with customer profile data via a reference table join and routes to a KQL Database. KQL materialized views maintain running aggregations of transaction velocity per customer. Anomaly detection queries using series_decompose_anomalies() identify deviations from normal patterns. Data Activator triggers Power Automate flows that freeze accounts and notify the fraud investigation team.
Result: Fraud detection latency reduced from 4 hours (batch) to under 15 seconds. False positive rate decreased by 20% through richer real-time context.
3. Healthcare Patient Vitals Monitoring
Scenario: A hospital network monitoring 2,000 patients across 8 facilities, with bedside monitors streaming heart rate, blood pressure, SpO2, and respiratory rate.
Architecture: Medical device integration engines publish vital sign data to a HIPAA-compliant Event Hub with encryption in transit and at rest. Eventstream ingests the data, applies PHI field management (removing direct identifiers for the analytics path while retaining them in the clinical Lakehouse), and routes to a KQL Database. Real-Time Dashboards on nursing station screens display patient status with color-coded severity indicators. Data Activator sends high-priority Teams alerts and pages to on-call physicians when vitals breach critical thresholds.
Result: Rapid response team activation time reduced by 60%. HIPAA compliance maintained through field-level access controls and audit logging in Fabric governance features.
4. Supply Chain Logistics Tracking
Scenario: A global logistics company tracking 10,000+ shipments with GPS-enabled containers reporting location, temperature (for cold chain), and door-open/close events.
Architecture: GPS and sensor data flows through a Kafka cluster into Eventstream. Transformations compute geofence intersections and estimated arrival times. KQL Database stores position history with 90-day retention. Real-Time Dashboards display fleet maps with live positions and ETA calculations. Data Activator triggers customer notifications when shipments enter delivery zones and alerts operations when cold-chain temperature excursions are detected.
Result: Customer satisfaction improved 25% through proactive delivery notifications. Cold chain compliance incidents reduced by 40% through immediate temperature alerts.
5. E-Commerce Real-Time Personalization
Scenario: An e-commerce platform processing 2 million page views per hour wants to detect shopping patterns and trigger personalized offers in real time.
Architecture:Clickstream events from the web application are published to Event Hubs and ingested by Eventstream. Transformations enrich events with customer segment data and compute session-level metrics (pages viewed, cart value, time on site). KQL Database enables sub-second queries for dashboards showing live conversion funnels and trending products. Data Activator triggers Power Automate flows that push personalized discount offers via the e-commerce platform’s notification API when high-intent cart abandonment patterns are detected.
Result: Cart abandonment rate reduced by 18%. Real-time personalized offers generated a 12% increase in average order value.
IoT Operations Dashboard Blueprint: The Real-Time Operations Intelligence Framework
After deploying Fabric Real-Time Intelligence for manufacturing and industrial clients across automotive, pharmaceutical, food processing, and heavy machinery sectors, I developed the Real-Time Operations Intelligence Blueprint— a repeatable framework for building production-grade IoT monitoring solutions on Microsoft Fabric. This is the framework we use at EPC Group for every IoT engagement, and it consistently delivers measurable ROI within the first quarter.
Architecture: IoT to Fabric to Dashboard Data Flow
The Real-Time Operations Intelligence Blueprint follows a six-stage data flow that maps directly to the Fabric RTI architecture:
IoT Sensors & Edge Devices
Temperature probes, vibration sensors, pressure transducers, flow meters, energy monitors, and PLCs on production equipment publish telemetry via MQTT or AMQP protocol. Edge devices (Azure IoT Edge) perform local preprocessing: data compression, protocol translation, and local buffering during connectivity interruptions.
Azure IoT Hub (Cloud Gateway)
IoT Hub serves as the cloud ingestion layer, handling device authentication (X.509 certificates or SAS tokens), message routing, and device twin management. Each device registers with IoT Hub, enabling centralized firmware updates and configuration changes. IoT Hub scales to millions of simultaneous device connections.
Fabric Eventstream (Stream Processing)
Eventstream connects directly to IoT Hub as a source. In-stream transformations compute rolling averages (30-second and 5-minute windows), detect threshold breaches, enrich events with equipment metadata from reference tables (machine ID to production line mapping, maintenance history), and route to multiple destinations simultaneously.
KQL Database (Real-Time Analytics Store)
Processed telemetry lands in KQL Database tables optimized for time-series queries. Materialized views maintain pre-aggregated metrics (hourly OEE, daily MTBF calculations). Retention policies automatically archive data older than 90 days to OneLake cold storage. Functions encapsulate reusable anomaly detection logic.
Real-Time Dashboard (Operational Visibility)
Auto-refreshing dashboards display live production metrics on factory floor monitors, shift supervisor tablets, and executive summary screens. KQL-powered visuals show OEE gauges, vibration trend lines, temperature heatmaps across equipment, production throughput counters, and defect rate sparklines — all updating every 10 seconds.
Data Activator (Automated Response)
Continuous monitoring with tiered alert rules. Triggers fire within seconds of condition detection, sending notifications via Teams, email, SMS (via Power Automate + Twilio), or directly invoking SCADA system commands to pause production lines when safety thresholds are breached.
5 Key IoT Metrics Every Manufacturing Dashboard Must Track
Through dozens of manufacturing RTI deployments, I have identified five metrics that every IoT operations dashboard must surface in real time. These are the KPIs that plant managers, operations directors, and maintenance leads actually use to make decisions:
1. OEE (Overall Equipment Effectiveness)
The gold standard metric for manufacturing productivity. OEE = Availability x Performance x Quality. World-class OEE is 85%+. Most plants we assess initially score 60-72%.
Calculated in KQL from uptime events, cycle time data, and quality inspection results in real time.
2. MTBF (Mean Time Between Failures)
Measures equipment reliability. Higher MTBF indicates more reliable equipment. Tracking MTBF trends per machine identifies assets approaching end-of-life or needing preventive maintenance.
Computed from equipment state change events (running → stopped) stored in KQL Database.
3. MTTR (Mean Time To Repair)
Measures maintenance team responsiveness. Lower MTTR means faster recovery. Our blueprint typically reduces MTTR by 40-60% through instant alerting and diagnostic context delivered to technicians’ mobile devices.
Tracked from failure event to resolution event, with maintenance team response time breakdowns.
4. Energy Consumption per Unit
Tracks energy efficiency per unit produced. Spikes indicate equipment degradation, miscalibration, or process drift. Clients typically discover 10-15% energy waste within the first month of monitoring.
Correlated from smart meter data and production counter events in Eventstream.
5. Defect Rate per Production Line
Real-time quality metric tracking reject rates per line. When defect rate spikes above SLA thresholds, Data Activator immediately alerts quality engineers with the specific line, time window, and correlated sensor readings (temperature, pressure, speed) to accelerate root cause analysis.
Aggregated from inline quality inspection system events joined with production line telemetry.
Anomaly Detection with KQL: Practical Examples
KQL includes powerful built-in functions for detecting anomalies in streaming sensor data. Here are two production KQL queries we use in the Real-Time Operations Intelligence Blueprint:
// Detect temperature spikes: identify readings that deviate >3 standard deviations from the 1-hour rolling average
SensorTelemetry
| where Timestamp > ago(1h)
| where SensorType == "temperature"
| summarize AvgTemp = avg(Value), StdDev = stdev(Value) by bin(Timestamp, 5m), ProductionLineId
| extend UpperThreshold = AvgTemp + (3 * StdDev)
| extend LowerThreshold = AvgTemp - (3 * StdDev)
| join kind=inner (
SensorTelemetry
| where Timestamp > ago(1h)
| where SensorType == "temperature"
) on ProductionLineId, $left.Timestamp == $right.bin(Timestamp, 5m)
| where Value > UpperThreshold or Value < LowerThreshold
| project Timestamp, ProductionLineId, DeviceId, Value, AvgTemp, StdDev, UpperThreshold
| order by Timestamp desc// Vibration anomaly detection using series_decompose_anomalies for predictive maintenance
SensorTelemetry
| where Timestamp > ago(24h)
| where SensorType == "vibration"
| make-series VibrationSeries = avg(Value) on Timestamp from ago(24h) to now() step 5m by DeviceId
| extend (Anomalies, AnomalyScore, ExpectedValue) = series_decompose_anomalies(VibrationSeries, 2.5)
| mv-expand Timestamp to typeof(datetime), VibrationSeries to typeof(double),
Anomalies to typeof(int), AnomalyScore to typeof(double), ExpectedValue to typeof(double)
| where Anomalies != 0
| project Timestamp, DeviceId, ActualVibration = VibrationSeries, ExpectedValue,
AnomalyScore, AnomalyType = iff(Anomalies > 0, "Spike", "Drop")
| order by abs(AnomalyScore) descThe first query uses statistical thresholds (3 standard deviations) to catch sudden temperature spikes that may indicate equipment malfunction, coolant failure, or material feed issues. The second query leverages KQL’s built-in series_decompose_anomalies()function, which applies seasonal decomposition to identify vibration patterns that deviate from expected behavior — a leading indicator of bearing wear, misalignment, or impending mechanical failure.
Data Activator Alert Configuration for IoT
Data Activator provides the automated response layer in our blueprint. Here are four critical alert rules we configure for every manufacturing deployment:
Critical: Temperature Exceeds Safety Threshold
Condition: Any temperature sensor reading exceeds equipment-specific maximum operating temperature for more than 30 seconds. Action: Immediate Teams alert to maintenance team + Power Automate flow triggers SCADA emergency stop command + email notification to plant manager. Response SLA: under 60 seconds.
High: Production Line Unexpected Stop
Condition: Production counter events stop arriving for a line that is scheduled to be running (cross-referenced with shift schedule data). Action: Teams alert to shift supervisor with last 5 minutes of sensor readings for that line + automatic incident ticket creation in ServiceNow via Power Automate.
Medium: Quality Metric Drops Below SLA
Condition: Defect rate per production line exceeds the contractual SLA threshold (e.g., 2% reject rate) calculated over a rolling 30-minute window. Action: Email alert to quality engineering team with correlated sensor data (temperature, pressure, speed at time of defect spike) for immediate root cause investigation.
Informational: Predictive Maintenance Threshold
Condition: Vibration anomaly score from KQL series_decompose_anomalies() exceeds 2.5 for three consecutive 5-minute intervals, indicating progressive equipment degradation. Action: Automated work order creation in the CMMS (Computerized Maintenance Management System) with predicted failure window and recommended maintenance action.
ROI: What Our Clients Actually Achieve
Clients implementing our Real-Time Operations Intelligence Blueprint consistently report measurable results within the first 90 days:
- 15-25%reduction in unplanned downtime through predictive maintenance alerts and faster anomaly response
- 10-18%improvement in OEE (Overall Equipment Effectiveness) from real-time visibility into availability, performance, and quality losses
- $500K-$2Mannual savings from predictive maintenance replacing reactive break-fix approaches, with the range depending on plant size and equipment value
- 40-60%reduction in Mean Time To Repair (MTTR) through instant alerts with diagnostic context delivered to technician mobile devices
- 3-5 monthstypical time to full ROI, with most clients seeing positive returns within the first quarter of production deployment
These numbers are based on production deployments across automotive, pharmaceutical, food and beverage, and industrial manufacturing clients. The largest single-site savings we have documented was $2.3M annually for an automotive parts manufacturer running 24 production lines with 8,000+ sensors, where the combination of predictive maintenance and energy optimization delivered compounding returns.
Real-Time Intelligence vs. Stream Analytics vs. Azure Data Explorer
One of the most common questions I receive from enterprise clients is how Fabric RTI compares to existing Azure streaming services. Here is a detailed comparison across 10 dimensions:
| Dimension | Fabric RTI | Azure Stream Analytics | Azure Data Explorer |
|---|---|---|---|
| Service model | SaaS (Fabric) | PaaS (Azure) | PaaS (Azure) |
| Query language | KQL | SQL-like (SAQL) | KQL |
| Infrastructure management | None (fully managed) | Minimal (job-level) | Cluster provisioning required |
| Billing | Fabric CU pool | Per streaming unit | Per cluster + storage |
| Built-in alerting | Data Activator (native) | Azure Monitor / Functions | Azure Monitor alerts |
| Dashboard integration | Native Real-Time Dashboards + Power BI | Power BI via output | ADX Dashboards + Power BI |
| Data lake integration | OneLake (native) | ADLS Gen2 (manual config) | ADLS Gen2 (external tables) |
| CDC support | Built into Eventstream | Not native | Not native |
| Learning curve | Low (visual Eventstream + KQL) | Medium (SAQL syntax) | Medium-High (cluster ops + KQL) |
| Microsoft’s strategic direction | Primary investment | Maintenance mode | Converging into Fabric |
My recommendation for new projects is clear: start with Fabric Real-Time Intelligence. Azure Stream Analytics is in maintenance mode and will not receive significant new features. Azure Data Explorer is being converged into Fabric as the KQL Database workload. Organizations currently running ADX clusters should plan a migration path to Fabric RTI, which Microsoft has made relatively straightforward since KQL queries are fully compatible.
Pricing and Capacity Planning for Real-Time Intelligence
Real-Time Intelligence does not have a separate price tag — it consumes Fabric Capacity Units (CUs) from your existing Fabric capacity. However, understanding how each component consumes CUs is critical for capacity planning.
Fabric Capacity SKUs and RTI Workloads
| SKU | CUs | Pay-As-You-Go/mo | RTI Suitability |
|---|---|---|---|
| F2 | 2 | ~$262/mo | Dev/test only |
| F4 | 4 | ~$526/mo | Low-volume streaming POC |
| F8 | 8 | ~$1,051/mo | Small production workloads |
| F16 | 16 | ~$2,102/mo | Medium production (recommended start) |
| F32 | 32 | ~$4,205/mo | High-throughput streaming |
| F64 | 64 | ~$5,259/mo | Enterprise (unlimited Power BI viewers) |
| F128+ | 128+ | ~$10,518+/mo | Large-scale enterprise / multi-workload |
How RTI Components Consume CUs
- Eventstream processing: CU consumption scales with event throughput and transformation complexity. A simple pass-through consumes minimal CUs, while windowed aggregations on high-volume streams consume significantly more.
- KQL Database compute: Query execution draws CUs proportional to data scanned and query complexity. Materialized views reduce ongoing query cost by pre-computing results.
- KQL Database storage: Billed through OneLake at approximately $0.023/GB/month. Separate from CU consumption. Retention policies help control storage growth.
- Real-Time Dashboard rendering: Each auto-refresh cycle executes KQL queries against your capacity. More tiles and more frequent refresh intervals consume more CUs.
- Data Activator evaluation: Trigger condition evaluation runs continuously and consumes a small but steady amount of CUs. The cost is negligible for most workloads.
Capacity planning tip: I recommend starting with an F16 dedicated to RTI workloads, separate from your Power BI reporting capacity. Monitor CU utilization through the Fabric Capacity Metrics app for two weeks, then right-size. It is much easier to scale down from an F16 than to troubleshoot performance issues on an undersized F4 during a production incident.
Getting Started: 6 Steps from Fabric Workspace to Live Dashboard
Here is the step-by-step walkthrough I use when onboarding enterprise clients to Real-Time Intelligence. This assumes you already have a Fabric capacity provisioned.
Create a Fabric Workspace for RTI
Navigate to the Fabric portal (app.fabric.microsoft.com), create a new workspace, and assign it to your Fabric capacity. I recommend a dedicated workspace for real-time workloads separate from your data warehouse and Power BI workspaces. Name it clearly, such as “RTI-Production” or “RealTime-Manufacturing.”
Create a KQL Database
In your workspace, select New > KQL Database. Name it descriptively (e.g., “ManufacturingSensors” or “TransactionEvents”). Configure the retention policy — 30 days is a good starting point for most real-time monitoring scenarios. You can always adjust this later.
Create an Eventstream
Select New > Eventstream. Add your source (start with Sample Data if you are prototyping, or connect to your Event Hub / IoT Hub for real data). Add transformations as needed. Add your KQL Database as a destination. Eventstream will automatically create the target table in your KQL Database with the appropriate schema.
Verify Data Ingestion with KQL Queries
Open your KQL Database and run a simple query to verify data is flowing: YourTable | take 10. Then try a time-based query: YourTable | where Timestamp > ago(5m) | count. If you see results, your pipeline is working.
Build a Real-Time Dashboard
Select New > Real-Time Dashboard. Add tiles by writing KQL queries against your database. Start with a time chart showing event volume over time, a stat card for the latest value, and a table showing the most recent events. Set the auto-refresh interval to 30 seconds (you can reduce it to 10 seconds once the dashboard is stable). Add parameters for time range and any key dimensions.
Configure Data Activator Alerts
Create a new Reflex item in your workspace. Connect it to your Eventstream or KQL Database. Define trigger conditions for the metrics that matter most — start with one or two high-priority alerts (critical temperature threshold, transaction failure rate spike) before adding more. Configure email or Teams notifications. Test thoroughly by simulating threshold breach events before going live.
Frequently Asked Questions: Fabric Real-Time Intelligence
What is Real-Time Intelligence in Microsoft Fabric?
Real-Time Intelligence (RTI) is a workload within Microsoft Fabric designed for ingesting, processing, analyzing, and acting on high-velocity streaming data in near real time. It combines four core components: Eventstream for data ingestion and transformation, KQL Database for high-performance querying of time-series and streaming data using Kusto Query Language, Real-Time Dashboards for auto-refreshing visualizations, and Data Activator for trigger-based alerting and automated actions. RTI is purpose-built for scenarios such as IoT telemetry monitoring, financial fraud detection, patient vitals tracking, and supply chain logistics where data must be analyzed within seconds of generation rather than hours or days.
How much does Fabric Real-Time Intelligence cost?
Real-Time Intelligence consumes Fabric Capacity Units (CUs) from your existing Fabric capacity, so there is no separate license to purchase. The cost depends on your Fabric SKU: F2 starts at approximately $262.80/month, F4 at $525.60/month, and so on up through F2048 for large enterprises. Eventstream processing, KQL Database compute, and Real-Time Dashboard rendering all draw from your CU pool. KQL Database storage is billed through OneLake at approximately $0.023 per GB per month. For production streaming workloads, Microsoft recommends at least an F8 or F16 capacity to ensure adequate throughput without impacting other Fabric workloads like Power BI reports and data pipelines.
What data sources can Eventstream connect to?
Eventstream supports a broad range of streaming and change data capture sources. Native connectors include Azure Event Hubs, Azure IoT Hub, Apache Kafka (including Confluent Cloud), Custom Apps via SDK, Azure SQL Database CDC (Change Data Capture), PostgreSQL CDC, MySQL CDC, Azure Cosmos DB CDC, and Amazon Kinesis Data Streams. Eventstream also supports sample data sources for testing and prototyping. For sources without a native connector, you can publish events via the Eventstream REST API or route them through Azure Event Hubs as an intermediary. Each Eventstream can have multiple sources feeding into a single processing pipeline.
Is KQL hard to learn if I know SQL?
KQL (Kusto Query Language) is generally easy to pick up for SQL users, though the syntax flows differently. Instead of SELECT-FROM-WHERE, KQL uses a pipe-based syntax: TableName | where Condition | project Columns | summarize aggregation. Most SQL developers become productive with KQL within one to two weeks. Key differences include: KQL uses "project" instead of SELECT, "where" works similarly but uses == for equality, "summarize" replaces GROUP BY, and "extend" adds calculated columns. KQL excels at time-series operations with built-in functions like bin(), ago(), startofday(), and make-series that have no direct SQL equivalent. Microsoft provides a SQL-to-KQL cheat sheet in the Fabric documentation.
Can I use Real-Time Intelligence with Power BI?
Yes, Real-Time Intelligence integrates deeply with Power BI. You can create Real-Time Dashboards that auto-refresh every few seconds using KQL queries as the data source, which is ideal for operational monitoring. You can also connect standard Power BI reports to KQL Databases using DirectQuery mode, which gives you near-real-time data in familiar Power BI visuals and reports that can be shared via the Power BI service. Additionally, KQL Database tables can be added to Fabric lakehouses and consumed through Power BI semantic models. The Real-Time Dashboard experience is built into the Fabric portal and supports KQL-native visuals, parameters, and conditional formatting.
What is Data Activator in Microsoft Fabric?
Data Activator is the alerting and action engine within Fabric Real-Time Intelligence. It monitors streaming data for specific conditions and automatically triggers actions when those conditions are met. You define triggers using a no-code visual interface: select a data source (Eventstream, KQL Database, or Power BI visual), define a condition (e.g., temperature exceeds 90 degrees, stock price drops below threshold, SLA response time exceeds limit), and specify an action (send email, post to Microsoft Teams, trigger a Power Automate flow). Data Activator evaluates conditions continuously and fires actions within seconds. Common use cases include IoT anomaly alerts, financial threshold notifications, patient vital sign warnings, and SLA breach escalations.
How fast is real-time in Fabric (latency)?
Microsoft Fabric Real-Time Intelligence delivers end-to-end latency typically between 2 and 30 seconds depending on the pipeline configuration, data volume, and Fabric capacity SKU. Eventstream ingestion latency is usually under 5 seconds from source to KQL Database. KQL queries execute in milliseconds to low seconds for most operational queries. Real-Time Dashboards auto-refresh at configurable intervals as low as 10 seconds. Data Activator trigger evaluation occurs within seconds of data arrival. For extremely latency-sensitive scenarios (sub-second), Azure Event Hubs with Azure Stream Analytics may still be appropriate, but for the vast majority of enterprise real-time analytics needs, Fabric RTI latency is more than sufficient.
Do I need a separate license for Real-Time Intelligence?
No. Real-Time Intelligence is included as a workload within any Microsoft Fabric capacity (F2 and above). If your organization already has a Fabric capacity or a Power BI Premium capacity (P1 or above, which Microsoft converted to include Fabric in late 2024), you can start using Real-Time Intelligence immediately without purchasing an additional license. All RTI components, including Eventstream, KQL Database, Real-Time Dashboards, and Data Activator, run on your existing Fabric CU pool. The only additional cost is OneLake storage consumed by your KQL Database data. Users accessing Real-Time Dashboards need either a Power BI Pro license ($10/user/month) or a Fabric capacity of F64 or above for unlimited viewer access.
Related Resources
What Is Microsoft Fabric? Definitive Guide
Complete overview of the Fabric platform, workloads, OneLake, and enterprise architecture.
Power BI Pricing & Licensing Guide 2026
Understand Fabric capacity SKUs, Power BI Pro vs. Premium, and how licensing affects RTI access.
Microsoft Fabric Consulting Services
Enterprise Fabric implementation, architecture design, and migration services from EPC Group.
Data Analytics Consulting
End-to-end data analytics strategy, platform selection, and implementation for enterprises.
Power BI Consulting Services
Dashboard development, data modeling, enterprise deployment, and managed services.
Need Help Implementing Real-Time Intelligence?
EPC Group has deployed Fabric Real-Time Intelligence for Fortune 500 clients across healthcare, financial services, manufacturing, and logistics. Schedule a free consultation to discuss your real-time analytics requirements.