Disclaimer: This is work in progress intended to consolidate information from various sources for learning purposes. For the latest information please consult the documentation (see the links below)!
Last updated: 9-Feb-2025
[Microsoft Fabric] Kusto Query Language (KQL)
- {def} a read-only request to process query language [1]
- designed for data exploration and summarization [1]
- very similar to SQL
- the explain command can be used to transform SQL into KQL code
- ⇐ not all the SQL syntax can be translated
- statements are sequenced being executed in the order of their arrangement
- funnel like processing where data is piped from one operator to the next
- data is filtered, rearranged or summarized at each step and then fed into the following step
- statements are sequenced by a pipe (|)
- returns data in a tabular or graph format
- designed and developed to take advantage of cloud computing through clustering and scaling compute [2]
- ideal engine to power fast, real-time dashboards
- case-sensitive in general
- named after the undersea pioneer Jacques Cousteau [2]
- operation sequence
- filter data
- aggregate data
- order data
- modify column output
- supports standard data types
- string
- a sequence of zero or more Unicode characters
- characters are encoded in UTF-8.
- int
- 32-bit whole-number integer
- long
- signed 64-bit whole-number integer
- real (aka double)
- 64-bit decimal-based number
- and provides high precision with decimal points.
- decimal
- a 128-bit decimal number
- provides the highest precision of decimal points
- {recommendation} if precision is not needed, use the real type instead [2]
- bool
- a boolean value that can be a true (1), false (0), or null
- datetime
- represents a date in the UTC zone
- timespan
- represents a time interval
- days, hours, minutes, seconds, milliseconds, microseconds, tick
- if no time frame is specified, it will default to day
- dynamic
- a special data type that can take
- any value from the other data types
- arrays
- a {name = value} property bag
- guid
- a 128-bit globally unique value
- statement types
- tabular expression statement
- let statement
- used to
- set variable names equal to an expression
- create views
- ⇐ used mostly to
- help break complex expressions into multiple parts, each represented by a variable
- sett constants outside the query to aid in readability
- set statement
- used to set the query duration
- {tool}Microsoft Santinel
- {def} a cloud native SIEM and SOAR that provides cyberthreat detection, investigation, response, and proactive hunting, with a bird's-eye view across your enterprise [3]
- {tool} Kusto Explorer
- {def} user-friendly interface to query and analyze data with KQL [4]
- {tool} Azure Data Studio
- {def} lightweight, cross-platform data management and development tool for data professionals [5]
Previous Post
<<||>>
Next Post
References:
[1] Microsoft (2024) Real-time Analytics: End-to-End Workshop
[2] Mark Morowczynski et al (2024) The Definitive Guide to KQL: Using Kusto Query Language for Operations, Defending, and Threat Hunting
[3] Microsoft Learn (2024) Azure: What is Microsoft Sentinel [link]
[1] Microsoft (2024) Real-time Analytics: End-to-End Workshop
[2] Mark Morowczynski et al (2024) The Definitive Guide to KQL: Using Kusto Query Language for Operations, Defending, and Threat Hunting
[3] Microsoft Learn (2024) Azure: What is Microsoft Sentinel [link]
[4] Microsoft Learn (2024) Kusto: Kusto.Explorer installation and user
interface [link]
[5] Microsoft Learn (2024) SQL: What is Azure Data Studio? [link]
[5] Microsoft Learn (2024) SQL: What is Azure Data Studio? [link]
Acronyms:
KQL - Kusto Query Language (
SIEM - security information and event management
SIEM - security information and event management
SOAR - security orchestration, automation, and response
SQL - Structured Query Language
SQL - Structured Query Language
UTC - Universal Time Coordinated