Kusto Query Language (KQL) overview
Applies to: ✅ Microsoft Fabric ✅ Azure Data Explorer ✅ Azure Monitor ✅ Microsoft Sentinel
Kusto Query Language (KQL) is a powerful tool to explore your data and discover patterns, identify anomalies and outliers, create statistical modeling, and more. KQL is a simple yet powerful language to query structured, semi-structured, and unstructured data. The language is expressive, easy to read and understand the query intent, and optimized for authoring experiences. Kusto Query Language is optimal for querying telemetry, metrics, and logs with deep support for text search and parsing, time-series operators and functions, analytics and aggregation, geospatial, vector similarity searches, and many other language constructs that provide the most optimal language for data analysis. The query uses schema entities that are organized in a hierarchy similar to SQLs: databases, tables, and columns.
This article provides an explanation of the query language and offers practical exercises to get you started writing queries. To access the query environment, use the Azure Data Explorer web UI. To learn how to use KQL, see Tutorial: Learn common operators.
This article provides an explanation of the query language and offers practical exercises to get you started writing queries. To access the query environment, use the KQL queryset. To learn how to use KQL, see Tutorial: Learn common operators.
A Kusto query is a read-only request to process data and return results. The request is stated in plain text, using a data-flow model that is easy to read, author, and automate. Kusto queries are made of one or more query statements.
There are three kinds of user query statements:
All query statements are separated by a ;
(semicolon), and only affect the query at hand.
Catatan
For information about application query statements, see Application query statements.
The most common kind of query statement is a tabular expression statement, which means both its input and output consist of tables or tabular datasets. Tabular statements contain zero or more operators, each of which starts with a tabular input and returns a tabular output. Operators are sequenced by a |
(pipe). Data flows, or is piped, from one operator to the next. The data is filtered or manipulated at each step and then fed into the following step.
It's like a funnel, where you start out with an entire data table. Each time the data passes through another operator, it's filtered, rearranged, or summarized. Because the piping of information from one operator to another is sequential, the query operator order is important, and can affect both results and performance. At the end of the funnel, you're left with a refined output.
Let's look at an example query.
StormEvents
| where StartTime between (datetime(2007-11-01) .. datetime(2007-12-01))
| where State == "FLORIDA"
| count
Count |
---|
28 |
Catatan
KQL is case-sensitive for everything – table names, table column names, operators, functions, and so on.
This query has a single tabular expression statement. The statement begins with a reference to a table called StormEvents and contains several operators, where
and count
, each separated by a pipe. The data rows for the source table are filtered by the value of the StartTime column and then filtered by the value of the State column. In the last line, the query returns a table with a single column and a single row containing the count of the remaining rows.
To try out some more Kusto queries, see Tutorial: Write Kusto queries.
In contrast to Kusto queries, Management commands are requests to Kusto to process or modify data or metadata. For example, the following management command creates a new Kusto table with two columns, Level
and Text
:
.create table Logs (Level:string, Text:string)
Management commands have their own syntax, which isn't part of the Kusto Query Language syntax, although the two share many concepts. In particular, management commands are distinguished from queries by having the first character in the text of the command be the dot (.
) character (which can't start a query).
This distinction prevents many kinds of security attacks, simply because it prevents embedding management commands inside queries.
Not all management commands modify data or metadata. The large class of commands that start with .show
, are used to display metadata or data. For example, the .show tables
command returns a list of all tables in the current database.
For more information on management commands, see Management commands overview.
KQL is used by many other Microsoft services. For specific information on the use of KQL in these environments, refer to the following links: