Blog Post

Getting Started with KQL


I saw an episode of Data Exposed with my good friend, Hamish Watson. He talked about KQL (Kusto Query Language) being the next query language you need to learn. I was skeptical of the title, but I decided to give this a try.

In the episode, Hamish points out a cheat sheet from Microsoft, which I thought was a good resource. However, while watching the video, I browsed over to the demo site Microsoft has at You need an Azure account to log in, but this is a demo site where you can query some Log Analytics data. The new query window below is what appears when you go here:

2021-12-22 14_37_43-Logs - Microsoft Azure

Hamish shows some sample items, and I noted that to query a table, you just include the name. The query window in Azure has intellisense, and I used Hamish’ example to look at perf data.

2021-12-22 14_38_36-Logs - Microsoft Azure

The structure of queries is that you choose a table, then you can add a pipe (|) and add a where clause or other structures. I glanced at the cheat sheet, but really I played around a bit.

For example, I saw in the demo there was a “take” option, so I tried this:

| take 6

This gave me six results, so it’s like a TOP clause in T-SQL.

2021-12-22 14_42_19-Logs - Microsoft Azure

Next, I tried a WHERE. This is also structured as a line after a pipe. I picked a value I saw and then ran the query.

2021-12-22 14_45_03-Logs - Microsoft Azure

I noticed there was a summarize option, so I tried entering this. What I liked was that I had some intellisense options to help me with the various aggregates.

2021-12-22 14_46_15-Logs - Microsoft Azure

I ran this query, and got an average of the free space across all disks.

2021-12-22 14_47_04-Logs - Microsoft Azure

That isn’t a number that really means anything. I tried GROUP BY in a few ways, but eventually had to look at the cheat sheet to see just “by” is needed. I ended up with this query to get space by disk.

2021-12-22 14_48_54-Logs - Microsoft Azure

In some ways, I found KQL to be easier to work with than SQL. It’s cleaner, and logically follows what I’d do when writing a query. I build this in a way similar to how the query is executed, which is unlike how SQL works.

I don’t know if KQL is going to be that important to me, but I will play around with it a bit more.

Original post (opens in new tab)
View comments in original post (opens in new tab)