Kusto Query Language (KQL) Introduction
This article is for giving a brief introduction to anyone who will start learning the Kusto Query Language(KQL) for better understanding and clarity. Perhaps you just came to know about the language KQL and eager to know about the language or start to use it so this article will kick start your journey into the world of kusto.
Kusto and KQL
Kusto Query Language or KQL is a language developed by Microsoft and used to query in some areas like Azure Monitor Logs, Azure Monitor Application Insights and many more.
KQL are perfect for dealing with huge amount of streaming data for example Application Logs and it is is almost similar to SQL(Structured Query Language).As it is similar to SQL anyone having a little bit of SQL knowledge will easily get on hold the KQL and will also demonstrate the KQL from scratch to make it easier to understand.
KQL Example:
Here You would need to understand that a predicate is required to be incorporated in any query, so we may use the | characters for this purpose. In KQL, pipe characters are mostly used to separate expressions.
Select Operators
Table
| where column =='value'
Here Table would be the Table_name, column would be the column_name to be used and value would be the required value. Here we can specify multiple condition by using the pipe operator like order_by clause,sorting etc.
search operator
Table
|search 'value'.
This will search for the specified value in all the columns for a table but one thing we need to keep in mind that KQL are case sensitive.
But in performance perspective search is not a good option instead where clause to be used for the filtering purpose. We can use =~ and has operator with where clause for non_case sensitive search and to search a small portion of the string instead the whole respectively. Here non_case sensitive means irrespective of exact term it will search for the value.
Between Operator
Here we can specify some range by defining it by between clause. For example timestamp between some time frame like between 8.00 AM- 9.00 AM and many more.
We can use the ago function to get some previous timespan from the current one like 1hour ago,2 hour ago and so on.
Syntax:
ago(time)-Here we can specify time by the following way,
1h-h stands for hour
1d-d stands for day and similarly m for minutes, s for seconds, ms for miliseconds.
Summarize Operator
Summarize can be used to aggregate by column name or for counting the occurrence of a column or columns like summarize by column1,column2 and so on or summarize count() by cloumn1,column2 etc.
Project Operator
We can limit the columns to be displayed in the output by specifying in the project Operator like project column1,column2 and so on.
Graphic Operator:
Render is used to display the graphical representations in kusto query language.
We can use various charts like timechart, a scatterchart or and areachart, a barchart, a columnchart, a piechart for gaining different insights and observations according to use case.
Extend Operator
We will use extend for creating a new column or columns by specifying a column_name that hasn't been used earlier .So we can say that it may be used to create a new column and displayed in the output by the project operator.
Let Statement:
let statement followed by the variable's name, the = sign, and your data, is used to represent a variable in kusto. One thing we need to keep in mind that the let statement must be followed by a semi-column.
This brief introduction to Kusto Query Language may help you understand how to query Azure Monitor to extract data from metrics and events.
Good Luck!
