Software Development by Terry

Kusto Query Language

The Kusto Query Language (KQL) is a plain-text, read-only language used to query big datasets. Some products which use KQL are Azure Data Explorer, Microsoft Defender ATP, Log Analytics, and Azure Sentinel.

Add to Set
Add to Set
Share on X Share on Facebook Share on LinkedIn Share on Reddit Share on WhatsApp Send via Email

Work with Lists
...see more

Create List

let set1 = toscalar (AzureNetworkAnalytics_CL | take 1 | project FlowCount_d);
print set1


Compare two lists

let history = dynamic (['20.150.9.36','20.50.65.82']);
let current = dynamic (['20.150.9.36','20.50.65.82', '10.0.0.10']);
print set_difference(current, history)
Open
Add to Set
Comment
Share
Add to Set
Twitter Facebook LinkedIn
Email Copy Link to Clipboard

Kusto Query Sample
...see more
let startdate = ago(1h);
let current = toscalar(AzureNetworkAnalytics_CL
 | where FlowStartTime_t > startdate
 | where SubType_s == "FlowLog" and FlowDirection_s == "O"
 | extend DestinationIP = extract("(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.(([0-9]{1,3})))", 1, DestPublicIPs_s)
 | distinct DestinationIP
 | summarize make_list(DestinationIP));
let history = toscalar (AzureNetworkAnalytics_CL
 | where FlowStartTime_t <= startdate and FlowStartTime_t > ago(2d)
 | where SubType_s == "FlowLog" and FlowDirection_s == "O"
 | extend DestinationIP = extract("(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.(([0-9]{1,3})))", 1, DestPublicIPs_s)
 | distinct DestinationIP
 | summarize  make_list(DestinationIP));
print set_difference(current, history)
Open
Add to Set
Comment
Share
Add to Set
Twitter Facebook LinkedIn
Email Copy Link to Clipboard

Simple KQL Commands
...see more
  • Count will return the number of rows in the query
  • Where allows filtering the rows that are returned based on a condition
  • Take will return a specified number of rows, but no guarantee which rows are returned
  • Sort will allow sorting the output into an order
  • Top will return the first N records sorted by the specified column
  • Extend command allows creating new columns from existing columns or other data such as hard-coded values
  • Summarize will return the total values for a specific grouping of rows
Open
Add to Set
Comment
Share
Add to Set
Twitter Facebook LinkedIn
Email Copy Link to Clipboard

Select a Custom Dimension as a Column in KQL
...see more

Selecting a custom dimension means extracting a value from the dynamic field and showing it as a normal column.

Basic Example

If your logs contain a custom dimension called UserId, use this query:

 
traces
| project
    timestamp,
    message,
    UserId = tostring(customDimensions["UserId"])

What this does:

  • Reads the value using square brackets.
  • Converts it to a string.
  • Creates a new column named UserId.

You can select multiple custom dimensions in the same query:

 
requests
| project
    timestamp,
    name,
    Region  = tostring(customDimensions["Region"]),
    OrderId = tostring(customDimensions["OrderId"])

Tips

  • Always use tostring() unless you know the value is numeric or boolean.
  • Rename the extracted value to keep your results readable.
  • Use project to control exactly what columns appear in the output.

This pattern is ideal for building reports or exporting data because it turns hidden metadata into visible columns that anyone can understand.

Open
Add to Set
Comment
Share
Add to Set
Twitter Facebook LinkedIn
Email Copy Link to Clipboard
Referenced in:

Comments

Copyright © Snippset 2022. All Rights Reserved.