Query statement types

Applies to: ✅ Microsoft FabricAzure Data ExplorerAzure MonitorMicrosoft Sentinel

A query consists of one or more query statements, delimited by a semicolon (;). At least one of these query statements must be a tabular expression statement. The tabular expression statement generates one or more tabular results. Any two statements must be separated by a semicolon. When the query has more than one tabular expression statement, the query has a batch of tabular expression statements, and the tabular results generated by these statements are all returned by the query.

Two types of query statements:

  • Statements that are primarily used by users (user query statements),
  • Statements that have been designed to support scenarios in which mid-tier applications take user queries and send a modified version of them to Kusto (application query statements).

Some query statements are useful in both scenarios.

Note

The "effect" of a query statement starts at the point where the statement appears in the query and ends at the end of the query. Once the query completes, all its resources are released and it has no impact on future queries (other than side-effects, such as having the query recorded in a log of all queries run, or having its results cached.)

User query statements

Following is a list of user query statements:

  • A let statement defines a binding between a name and an expression. Let statements can be used to break a long query into small named parts that are easier to understand.

  • A set statement sets a request property that affects how the query is processed and its results returned.

  • A tabular expression statement, the most important query statement, returns the "interesting" data back as results.

Application query statements

Following is a list of application query statements:

  • An alias statement defines an alias to another database (in the same cluster or on a remote cluster).

  • A pattern statement, which can be used by applications that are built on top of Kusto and expose the query language to their users to inject themselves into the query name resolution process.

  • A query parameters statement, which is used by applications that are built on top of Kusto to protect themselves against injection attacks (similar to how command parameters protect SQL against SQL injection attacks.)

  • A restrict statement, which is used by applications that are built on top of Kusto to restrict queries to a specific subset of data in Kusto (including restricting access to specific columns and records.)