Previous

Next

Exercise: Sample queries

Completed

In the previous unit, we examined the general structure of a KQL query. Now let's try running a few sample queries.

Access demo query environments

Some of the products that use KQL offer free environments that you can use for practicing queries. Choose one of the following tabs that corresponds to the query environment you want to use.

Azure Data Explorer

Azure Data Explorer offers a help cluster with different types of data preloaded. This cluster can be accessed using the Azure Data Explorer web UI.

Azure Data Explorer help cluster

Prerequisites

This environment requires a Microsoft account or a Microsoft Entra user identity.

Run sample query

The following query answers the question, "What were the top 10 property damages caused by floods?"

Run the query

StormEvents
| where EventType == "Flood"
| sort by DamageProperty desc
| take 10

Here's a step-by-step analysis of how the query processes the data.

1. The query begins with the StormEvents table as the tabular input.
2. It filters on records for which the EventType column is exactly equal to Flood.
3. The resulting list is sorted in descending order based on the value in the DamageProperty column.
4. Finally, the top 10 records are returned.

Azure Monitor/Microsoft Sentinel

Microsoft Sentinel and Log Analytics in Azure Monitor both use the demo environment that is accessed by searching for and selecting Logs in the Azure portal.

Log Analytics demo environment

Prerequisites

This environment requires an Azure subscription. Create a free Azure account.

Run sample query

The following query answers the question, "What were the top 10 longest response duration log queries in the past day?"

Run the query

LAQueryLogs
| where TimeGenerated between (ago(24h) .. now())
| sort by ResponseDurationMs desc
| take 10

Here's a step-by-step analysis of how the query processes the data.

1. The query begins with the LAQueryLogs table as the tabular input.
2. It filters on records for which the TimeGenerated column is between 24 hours ago and now, meaning in the past day.
3. The resulting list is sorted in descending order based on the value in the ResponseDurationMs column.
4. Finally, the top 10 records are returned.

Azure Resource Graph

The Azure Resource Graph Explorer is accessed by searching for and selecting Resource Graph Explorer in the Azure portal.

Azure Resource Graph Explorer

Prerequisites

This environment requires an Azure subscription. Create a free Azure account.

Run sample query

The following query answers the question, "What were the top 10 most recently enabled storage resources?"

resources
| where type contains 'storage'
| sort by todatetime(properties.encryption.services.blob.LastEnabledTime)
| take 10

Here's a step-by-step analysis of how the query processes the data.

1. The query begins with the Resources table as the tabular input.
2. It filters on records for which the type column contains the term storage.
3. The resulting list is sorted in descending order based on the LastEnabledTime value in the dynamic field called properties.
4. Finally, the top 10 records are returned.

Continue