To create a comprehensive document detailing all Kusto Query Language (KQL) operators and functions with explanations, syntax, and examples, here’s an organized approach covering major operators and functions in KQL. The document includes a concise description of each operator and function, examples of its usage, and guidance for working with KQL in Azure Data Explorer or Microsoft Sentinel.
Kusto Query Language (KQL) Operators and Functions
KQL is designed for querying large datasets quickly and efficiently, often for log analysis, monitoring, and interactive analytics. Below is a list of commonly used operators and functions in KQL, organized by categories like filtering, sorting, aggregating, and data transformation.
Table of Contents
- Filtering Operators
wheresearchin
- Sorting and Limiting Operators
takelimittopsort
- Aggregating Operators
summarizecountavgmin/max
- Join and Union Operators
joinunion
- Transformation Functions
projectproject-renameproject-away
- Data Manipulation and Conversion Functions
parseparse_jsontostringtointdatetime_part
- Time-Based Operators
agobinmake-series
- Advanced Analysis Functions
mv-expandfind
- Custom Functions
1. Filtering Operators
where
- Description: Filters rows based on specified conditions.
- Syntax:
<table> | where <condition> - Example:
Events | where Severity == "Critical"search
- Description: Searches for a term across multiple columns in a table.
- Syntax:
<table> | search "<term>" - Example:
Events | search "error"in
- Description: Checks if values exist in a set of specified values.
- Syntax:
<column> in (<value1>, <value2>, ...) - Example:
Events | where EventID in (1001, 1002, 1003)2. Sorting and Limiting Operators
take
- Description: Returns a specified number of rows.
- Syntax:
<table> | take <count> - Example:
Logs | take 5limit
- Description: Limits the result to a specific number of rows.
- Syntax:
<table> | limit <count> - Example:
Logs | limit 10top
- Description: Returns the top N rows based on a specified column.
- Syntax:
<table> | top <count> by <column> [asc | desc] - Example:
Logs | top 5 by Timestamp descsort
- Description: Sorts rows based on a column.
- Syntax:
<table> | sort by <column> [asc | desc] - Example:
Logs | sort by Timestamp asc3. Aggregating Operators
summarize
- Description: Aggregates data by specified columns and aggregation functions.
- Syntax:
<table> | summarize <aggregation function> by <column> - Example:
Events | summarize count() by EventTypecount
- Description: Counts the number of rows.
- Syntax:
<table> | count - Example:
Logs | countavg
- Description: Calculates the average of a numeric column.
- Syntax:
<table> | summarize avg(<column>) - Example:
Events | summarize avg(Duration) by EventTypemin / max
- Description: Finds the minimum or maximum value in a column.
- Syntax:
<table> | summarize min(<column>)ormax(<column>) - Example:
Events | summarize max(Timestamp)4. Join and Union Operators
join
- Description: Combines rows from two tables based on a common key.
- Syntax:
<table1> | join kind=<join_type> (<table2>) on <key> - Example:
Events | join kind=inner (Errors) on EventIDunion
- Description: Combines rows from multiple tables.
- Syntax:
<table1> | union <table2> - Example:
Logs | union Errors5. Transformation Functions
project
- Description: Selects and renames columns.
- Syntax:
<table> | project <column1>, <column2> - Example:
Logs | project Timestamp, EventTypeproject-rename
- Description: Renames columns without dropping others.
- Syntax:
<table> | project-rename <new_name>=<old_name> - Example:
Logs | project-rename EventIDNew = EventIDproject-away
- Description: Drops specified columns.
- Syntax:
<table> | project-away <column1>, <column2> - Example:
Logs | project-away EventID6. Data Manipulation and Conversion Functions
parse
- Description: Extracts values from strings based on a pattern.
- Syntax:
<table> | parse <column> with <pattern> - Example:
Logs | parse Message with "User " User " logged in"parse_json
- Description: Parses JSON-formatted strings into objects.
- Syntax:
<table> | extend <new_column> = parse_json(<column>) - Example:
Logs | extend ParsedMessage = parse_json(Message)tostring
- Description: Converts a value to a string.
- Syntax:
<table> | extend <new_column> = tostring(<column>) - Example:
Logs | extend StringEventID = tostring(EventID)toint
- Description: Converts a value to an integer.
- Syntax:
<table> | extend <new_column> = toint(<column>) - Example:
Logs | extend IntEventID = toint(EventID)datetime_part
- Description: Extracts parts of a date, such as year, month, day.
- Syntax:
datetime_part("part", <datetime_column>) - Example:
Logs | extend Month = datetime_part("month", Timestamp)7. Time-Based Operators
ago
- Description: Returns a datetime offset from the current time.
- Syntax:
ago(<time>) - Example:
Logs | where Timestamp >= ago(1d)bin
- Description: Rounds datetime values to intervals.
- Syntax:
<table> | summarize count() by bin(<column>, <interval>) - Example:
Events | summarize count() by bin(Timestamp, 1h)make-series
- Description: Creates a time series by binning data points.
- Syntax:
make-series <aggregation> on <column> in range(start, stop, interval) - Example:
Events | make-series count() on Timestamp in range(datetime(2022-01-01), datetime(2022-01-31), 1d)8. Advanced Analysis Functions
mv-expand
- Description: Expands multi-value columns into separate rows.
- Syntax:
<table> | mv-expand <column> - Example:
Logs | mv-expand Usersfind
- Description: Finds specific patterns or values in logs.
- Syntax:
find in <table> "<term>" - Example:
find in (Events) "error"9. Custom Functions
Creating a Custom Function
- Description: Define reusable logic for complex operations.
- Syntax:
let <function_name> = (<parameters>) {
<query_body>
};This structure will provide a solid reference for anyone
getting started with KQL, supporting both beginners and intermediate users.
