Editar

Compartir a través de


Syntax conventions for reference documentation

Applies to: ✅ Microsoft FabricAzure Data ExplorerAzure MonitorMicrosoft Sentinel

This article outlines the syntax conventions followed in the Kusto Query Language (KQL) and management commands reference documentation.

Syntax conventions

Convention Description
Block String literals to be entered exactly as shown.
Italic Parameters to be provided a value upon use of the function or command.
[ ] Denotes that the enclosed item is optional.
( ) Denotes that at least one of the enclosed items is required.
| (pipe) Used within square or round brackets to denote that you may specify one of the items separated by the pipe character. In this form, the pipe is equivalent to the logical OR operator. When in a block (|), the pipe is part of the KQL query syntax.
[, ...] Indicates that the preceding parameter can be repeated multiple times, separated by commas.
; Query statement terminator.

Examples

Scalar function

This example shows the syntax and an example usage of the hash function, followed by an explanation of how each syntax component translates into the example usage.

Syntax

hash(source [, mod])

Example usage

hash("World")
  • The name of the function, hash, and the opening parenthesis are entered exactly as shown.
  • "World" is passed as an argument for the required source parameter.
  • No argument is passed for the mod parameter, which is optional as indicated by the square brackets.
  • The closing parenthesis is entered exactly as shown.

Tabular operator

This example shows the syntax and an example usage of the sort operator, followed by an explanation of how each syntax component translates into the example usage.

Syntax

T | sort by column [asc | desc] [nulls first | nulls last] [, ...]

Example usage

StormEvents
| sort by State asc, StartTime desc
  • The StormEvents table is passed as an argument for the required T parameter.
  • | sort by is entered exactly as shown. In this case, the pipe character is part of the tabular expression statement syntax, as represented by the block text. To learn more, see What is a query statement.
  • The State column is passed as an argument for the required column parameter with the optional asc flag.
  • After a comma, another set of arguments is passed: the StartTime column with the optional desc flag. The [, ...] syntax indicates that more argument sets may be passed but aren't required.

Working with optional parameters

To provide an argument for an optional parameter that comes after another optional parameter, you must provide an argument for the prior parameter. This requirement is because arguments must follow the order specified in the syntax. If you don't have a specific value to pass for the parameter, use an empty value of the same type.

Example of sequential optional parameters

Consider the syntax for the http_request plugin:

evaluate http_request ( Uri [, RequestHeaders [, Options]] )

RequestHeaders and Options are optional parameters of type dynamic. To provide an argument for the Options parameter, you must also provide an argument for the RequestHeaders parameter. The following example shows how to provide an empty value for the first optional parameter, RequestHeaders, in order to be able to specify a value for the second optional parameter, Options.

evaluate http_request ( "https://contoso.com/", dynamic({}), dynamic({ EmployeeName: Nicole }) )