In Part1 we talked about what a query is.
The most common query we will write is a tabular expression statement which is what people usually have in mind when we talk about queries. This statement usually appears last in the statement list, and both its input and its output consists of tables or tabular data sets.
NOTE: Any two statements must be separated by a semicolon ;
We use a data flow model for the tabular expression statement. A tabular expression statement is generally composed of tabular data sources such as the tables we will query, tabular data operators such as filters and projections, and optional rendering operators.
The composition is represented by the pipe character (|), giving the statement a very regular form that visually represents the flow of tabular data from left to right. Each operator accepts a tabular data set “from the pipe”, and other inputs including more tabular data sets from the body of the operator, then emits a tabular data set to the next operator that follows.
So our query will look something like this:
Source | Operator1 | Operator2 | RenderInstruction
- Source – tabular data sources such as Azure Data Explorer tables
- Operator – tabular data operators such as filters and projections
- RenderInstruction – rendering operators or instructions
Example
In the following slightly more complex example, the join operator is used to combine records from two input data sets, one that is a filter on the Logs table, and another that is a filter on the Events table.
Logs
| where Timestamp > ago(1d)
| join
(
Events
| where continent == 'Europe'
) on RequestId So for now let’s use tabluar expressions and look at how we construct information out of our data..
Or in other words the workflow in constructing our query..
#Yip.