Posted in AZ-500 Azure Security Engineer Associate, Azure Administrator, Azure Security Engineer, Azure Solutions Architect, MS Cyber Security Architect Expert, MS Security Operations Analyst

Kusto Query Language

   November 2, 2024

To create a comprehensive document detailing all Kusto Query Language (KQL) operators and functions with explanations, syntax, and examples, here’s an organized approach covering major operators and functions in KQL. The document includes a concise description of each operator and function, examples of its usage, and guidance for working with KQL in Azure Data Explorer or Microsoft Sentinel.

Kusto Query Language (KQL) Operators and Functions

KQL is designed for querying large datasets quickly and efficiently, often for log analysis, monitoring, and interactive analytics. Below is a list of commonly used operators and functions in KQL, organized by categories like filtering, sorting, aggregating, and data transformation.

Table of Contents

  1. Filtering Operators
    • where
    • search
    • in
  2. Sorting and Limiting Operators
    • take
    • limit
    • top
    • sort
  3. Aggregating Operators
    • summarize
    • count
    • avg
    • min / max
  4. Join and Union Operators
    • join
    • union
  5. Transformation Functions
    • project
    • project-rename
    • project-away
  6. Data Manipulation and Conversion Functions
    • parse
    • parse_json
    • tostring
    • toint
    • datetime_part
  7. Time-Based Operators
    • ago
    • bin
    • make-series
  8. Advanced Analysis Functions
    • mv-expand
    • find
  9. Custom Functions

1. Filtering Operators

where

  • Description: Filters rows based on specified conditions.
  • Syntax: <table> | where <condition>
  • Example:
  Events | where Severity == "Critical"

search

  • Description: Searches for a term across multiple columns in a table.
  • Syntax: <table> | search "<term>"
  • Example:
  Events | search "error"

in

  • Description: Checks if values exist in a set of specified values.
  • Syntax: <column> in (<value1>, <value2>, ...)
  • Example:
  Events | where EventID in (1001, 1002, 1003)

2. Sorting and Limiting Operators

take

  • Description: Returns a specified number of rows.
  • Syntax: <table> | take <count>
  • Example:
  Logs | take 5

limit

  • Description: Limits the result to a specific number of rows.
  • Syntax: <table> | limit <count>
  • Example:
  Logs | limit 10

top

  • Description: Returns the top N rows based on a specified column.
  • Syntax: <table> | top <count> by <column> [asc | desc]
  • Example:
  Logs | top 5 by Timestamp desc

sort

  • Description: Sorts rows based on a column.
  • Syntax: <table> | sort by <column> [asc | desc]
  • Example:
  Logs | sort by Timestamp asc

3. Aggregating Operators

summarize

  • Description: Aggregates data by specified columns and aggregation functions.
  • Syntax: <table> | summarize <aggregation function> by <column>
  • Example:
  Events | summarize count() by EventType

count

  • Description: Counts the number of rows.
  • Syntax: <table> | count
  • Example:
  Logs | count

avg

  • Description: Calculates the average of a numeric column.
  • Syntax: <table> | summarize avg(<column>)
  • Example:
  Events | summarize avg(Duration) by EventType

min / max

  • Description: Finds the minimum or maximum value in a column.
  • Syntax: <table> | summarize min(<column>) or max(<column>)
  • Example:
  Events | summarize max(Timestamp)

4. Join and Union Operators

join

  • Description: Combines rows from two tables based on a common key.
  • Syntax: <table1> | join kind=<join_type> (<table2>) on <key>
  • Example:
  Events | join kind=inner (Errors) on EventID

union

  • Description: Combines rows from multiple tables.
  • Syntax: <table1> | union <table2>
  • Example:
  Logs | union Errors

5. Transformation Functions

project

  • Description: Selects and renames columns.
  • Syntax: <table> | project <column1>, <column2>
  • Example:
  Logs | project Timestamp, EventType

project-rename

  • Description: Renames columns without dropping others.
  • Syntax: <table> | project-rename <new_name>=<old_name>
  • Example:
  Logs | project-rename EventIDNew = EventID

project-away

  • Description: Drops specified columns.
  • Syntax: <table> | project-away <column1>, <column2>
  • Example:
  Logs | project-away EventID

6. Data Manipulation and Conversion Functions

parse

  • Description: Extracts values from strings based on a pattern.
  • Syntax: <table> | parse <column> with <pattern>
  • Example:
  Logs | parse Message with "User " User " logged in"

parse_json

  • Description: Parses JSON-formatted strings into objects.
  • Syntax: <table> | extend <new_column> = parse_json(<column>)
  • Example:
  Logs | extend ParsedMessage = parse_json(Message)

tostring

  • Description: Converts a value to a string.
  • Syntax: <table> | extend <new_column> = tostring(<column>)
  • Example:
  Logs | extend StringEventID = tostring(EventID)

toint

  • Description: Converts a value to an integer.
  • Syntax: <table> | extend <new_column> = toint(<column>)
  • Example:
  Logs | extend IntEventID = toint(EventID)

datetime_part

  • Description: Extracts parts of a date, such as year, month, day.
  • Syntax: datetime_part("part", <datetime_column>)
  • Example:
  Logs | extend Month = datetime_part("month", Timestamp)

7. Time-Based Operators

ago

  • Description: Returns a datetime offset from the current time.
  • Syntax: ago(<time>)
  • Example:
  Logs | where Timestamp >= ago(1d)

bin

  • Description: Rounds datetime values to intervals.
  • Syntax: <table> | summarize count() by bin(<column>, <interval>)
  • Example:
  Events | summarize count() by bin(Timestamp, 1h)

make-series

  • Description: Creates a time series by binning data points.
  • Syntax: make-series <aggregation> on <column> in range(start, stop, interval)
  • Example:
  Events | make-series count() on Timestamp in range(datetime(2022-01-01), datetime(2022-01-31), 1d)

8. Advanced Analysis Functions

mv-expand

  • Description: Expands multi-value columns into separate rows.
  • Syntax: <table> | mv-expand <column>
  • Example:
  Logs | mv-expand Users

find

  • Description: Finds specific patterns or values in logs.
  • Syntax: find in <table> "<term>"
  • Example:
  find in (Events) "error"

9. Custom Functions

Creating a Custom Function

  • Description: Define reusable logic for complex operations.
  • Syntax:
  let <function_name> = (<parameters>) {
      <query_body>
  };

This structure will provide a solid reference for anyone

getting started with KQL, supporting both beginners and intermediate users.

Share: XFacebookPinterestLinkedin
Author: tonyhughes