Kusto Query Language (KQL) overview
Kusto Query Language is a powerful tool to explore your data and discover patterns, identify anomalies and outliers, create statistical modeling, and more. The query uses schema entities that are organized in a hierarchy similar to SQLs: databases, tables, and columns.
What is a Kusto query?
A Kusto query is a read-only request to process data and return results. The request is stated in plain text, using a data-flow model that is easy to read, author, and automate. Kusto queries are made of one or more query statements.
What is a query statement?
There are three kinds of user query statements:
All query statements are separated by a
; (semicolon), and only affect the query at hand.
For information about application query statements, see Application query statements.
The most common kind of query statement is a tabular expression statement, which means both its input and output consist of tables or tabular datasets. Tabular statements contain zero or more operators, each of which starts with a tabular input and returns a tabular output. Operators are sequenced by a
| (pipe). Data flows, or is piped, from one operator to the next. The data is filtered or manipulated at each step and then fed into the following step.
It's like a funnel, where you start out with an entire data table. Each time the data passes through another operator, it's filtered, rearranged, or summarized. Because the piping of information from one operator to another is sequential, the query operator order is important, and can affect both results and performance. At the end of the funnel, you're left with a refined output.
Let's look at an example query.
StormEvents | where StartTime between (datetime(2007-11-01) .. datetime(2007-12-01)) | where State == "FLORIDA" | count
KQL is case-sensitive for everything – table names, table column names, operators, functions, and so on.
This query has a single tabular expression statement. The statement begins with a reference to a table called StormEvents and contains several operators,
count, each separated by a pipe. The data rows for the source table are filtered by the value of the StartTime column and then filtered by the value of the State column. In the last line, the query returns a table with a single column and a single row containing the count of the remaining rows.
To try out some more Kusto queries, see Tutorial: Use Kusto queries.
In contrast to Kusto queries, Control commands are requests to Kusto to process or modify data or metadata. For example, the following control command creates a new Kusto table with two columns,
.create table Logs (Level:string, Text:string)
Control commands have their own syntax, which isn't part of the Kusto Query Language syntax, although the two share many concepts. In particular, control commands are distinguished from queries by having the first character in the text of the command be the dot (
.) character (which can't start a query).
This distinction prevents many kinds of security attacks, simply because it prevents embedding control commands inside queries.
Not all control commands modify data or metadata. The large class of commands that start with
.show, are used to display metadata or data. For example, the
.show tables command returns a list of all tables in the current database.
For more information on control commands, see Management (control commands) overview.