Posted in AZ-500 Azure Security Engineer Associate, Azure Administrator, Azure Security Engineer, Azure Solutions Architect, MS Cyber Security Architect Expert, MS Security Operations Analyst

Kusto Query Language (KQL) Beginner’s Guide

   November 2, 2024

Introduction

Kusto Query Language (KQL) is a powerful query language developed by Microsoft to work with Azure Data Explorer, a fully managed data analytics service. KQL is used extensively in Azure Monitor, Microsoft Sentinel, and Application Insights to analyze large datasets, especially log and telemetry data.

KQL is optimized for fast data retrieval and can handle complex data operations across millions of rows. It’s similar in syntax to SQL but designed specifically for handling structured, semi-structured, and unstructured data.

Table of Contents

  1. History and Background of KQL
  2. Concept of KQL
  3. Basic Syntax and Structure
  4. Core Operators in KQL
  5. Data Filtering
  6. Aggregation and Summarization
  7. Data Transformation and Projection
  8. Working with Time-Based Data
  9. Joining and Combining Data
  10. Advanced Functions and Custom Functions
  11. Practical Examples

1. History and Background of KQL

KQL was developed by Microsoft to support Azure Data Explorer, a service built to handle large volumes of data from various sources like logs, telemetry, IoT data, and social media streams. With the increasing demand for real-time data analysis, KQL became a natural choice for Microsoft Sentinel and other log analytics tools.

Since its inception, KQL has grown into a flexible and robust query language designed specifically for high-performance data exploration and analytics.

2. Concept of KQL

KQL is a read-only query language designed to retrieve and analyze data. Unlike traditional SQL, KQL does not support data manipulation (such as INSERT or UPDATE). It’s purely for querying data, making it perfect for log analysis, diagnostics, and monitoring.

KQL queries are composed of operators, which act on data in sequences known as pipelines. Each operator refines the dataset, applying filters, aggregations, or transformations. This approach is very similar to SQL’s “SELECT-FROM-WHERE” but with specific operators designed for efficient, large-scale data analysis.

3. Basic Syntax and Structure

Basic Query Structure

A KQL query is typically structured in a pipeline format, where each part of the query refines the data further:

<table> 
| operator1 
| operator2 
| ...

The basic flow for querying a table is:

  • Table Name: The dataset or table you are querying.
  • Pipes (|): Used to separate operations.
  • Operators: Each operator refines the result set.

Example Query Structure

A simple KQL query on a Logs table could look like this:

Logs
| where Severity == "Critical"
| project Timestamp, Message
| sort by Timestamp desc
| take 10

This query:

  1. Filters for “Critical” severity logs.
  2. Selects specific columns (Timestamp and Message).
  3. Sorts the results by timestamp in descending order.
  4. Limits the output to the top 10 rows.

4. Core Operators in KQL

KQL operators perform functions similar to SQL statements, but in a syntax optimized for data analytics. Key operators include:

  • where: Filters data based on specified conditions.
  • project: Selects or renames columns.
  • sort: Orders rows based on column values.
  • take: Limits the number of rows returned.
  • summarize: Aggregates data (e.g., count, avg, sum).
  • join: Combines data from multiple tables.
  • extend: Adds calculated columns.

5. Data Filtering with where

The where operator is used to filter rows that meet specific conditions. It’s similar to SQL’s WHERE clause.

Syntax

<table> | where <condition>

Example

To retrieve only “Error” events from a SystemLogs table:

SystemLogs | where Severity == "Error"

This query retrieves all rows where the Severity column is set to “Error.”

6. Aggregation and Summarization

The summarize operator is essential for aggregating data. It can count rows, compute averages, and perform other summary functions.

Syntax

<table> | summarize <aggregation_function> by <column>

Example

To count events by their EventType in the Events table:

Events | summarize count() by EventType

This query groups rows by EventType and provides a count of each type.

7. Data Transformation and Projection

The project operator is used to select specific columns and rename them if necessary. It’s useful when you only need a subset of columns or want to improve readability.

Syntax

<table> | project <column1>, <column2> as <new_name>, ...

Example

Select only the Timestamp and EventType columns from Logs and rename EventType to Type:

Logs | project Timestamp, EventType as Type

8. Working with Time-Based Data

Time-based data is very common in log analytics, and KQL has operators to handle these efficiently.

ago

The ago function filters records based on time offsets from the current time.

Example

Retrieve logs from the past 24 hours:

Logs | where Timestamp >= ago(24h)

bin

The bin function groups data by time intervals, useful for time-series analysis.

Example

Count events in 1-hour intervals:

Logs | summarize count() by bin(Timestamp, 1h)

9. Joining and Combining Data

KQL supports both joining and combining datasets, making it possible to perform more complex analyses.

join

The join operator combines two tables on a common key.

Syntax

<table1> | join kind=<join_type> (<table2>) on <key>

Example

Combine the Errors table with Logs to find matching events:

Errors | join kind=inner (Logs) on EventID

union

The union operator stacks multiple tables into a single result set.

Example

Combine Errors and Logs:

Errors | union Logs

10. Advanced Functions and Custom Functions

extend

Adds a calculated column, often useful for creating derived values on the fly.

Example

Add a column IsCritical to flag critical errors:

Logs | extend IsCritical = Severity == "Critical"

Custom Functions

You can define reusable custom functions in KQL. This is helpful for complex queries or frequently repeated logic.

Syntax

let <function_name> = (<parameters>) {
    <query_body>
};

Example

Define a function to retrieve recent critical errors:

let GetRecentCriticalErrors = (timeframe:timespan) {
    Logs | where Severity == "Critical" and Timestamp >= ago(timeframe)
};
GetRecentCriticalErrors(1d)

11. Practical Examples

Example 1: Finding the Most Frequent Error Types

Errors
| summarize count() by ErrorType
| top 5 by count_

This query counts each ErrorType in the Errors table and retrieves the top 5 most frequent errors.

Example 2: Analyzing Logins by Day

Logins
| summarize count() by bin(Timestamp, 1d)
| sort by Timestamp asc

This query counts the number of logins per day and sorts the result by date.

Example 3: Correlating Data from Multiple Sources

Errors
| join kind=inner (Logins | project UserID, LoginTime) on UserID
| where Timestamp >= LoginTime
| project UserID, ErrorType, Timestamp, LoginTime

This query joins the Errors and Logins tables on UserID and finds errors occurring after each user’s login.

Summary

KQL is a powerful tool for working with log and telemetry data, especially suited for high-performance, large-scale data analysis. With its intuitive syntax and specialized operators, it simplifies querying large datasets, making it possible to perform complex analysis in a few lines. This guide provides a foundational understanding of KQL, and as you explore its functions and operators further, you’ll be able to unlock deeper insights from your data.

Share: XFacebookPinterestLinkedin
Author: tonyhughes