Kusto Query Language (KQL) Cheatsheet

Azure Comments Off on Kusto Query Language (KQL) Cheatsheet

Case-Sensitive

Query starts with table name or search

doesn’t consider any order
counterpart of take but with some order in place
type casting
Time filter condition
project: counterpart of SQL’s SELECT
like Group By
summarize by two columns

keywords usually in lowercase

| symbol to separate commands in the query

without in (SecurityEvent) will search all the tables
Relational Operators
column alias; EventDetails is an alias here
extend to add the computation as additional column instead of overwriting existing column; not necessarily added at the end
search for rows containing “error”

SecurityEvent | take 10

can go upto 10,000

Filter
multiple conditions
multiple conditions by using multiple where clause
computed column and substring function

Multiple queries delimited by semi-colon

another way to write search for error query