How to use kql

Content on WhatAnswers is provided "as is" for informational purposes. While we strive for accuracy, we make no guarantees. Content is AI-assisted and should not be used as professional advice.

Last updated: April 4, 2026

Quick Answer: Kusto Query Language (KQL) is a powerful tool for querying data. To use KQL, you'll typically connect to a data source (like Azure Data Explorer or Azure Monitor), write queries using its specific syntax to filter, transform, and analyze data, and then execute them to retrieve results. Common operations include selecting columns, filtering rows with `where`, aggregating data with `summarize`, and joining tables.

Key Facts

KQL is designed for exploring data and discovering patterns.
It uses a pipe-separated syntax, where the output of one operator becomes the input of the next.
Common operators include `take`, `where`, `project`, `summarize`, `join`, and `extend`.
KQL supports a rich set of scalar functions for data manipulation and analysis.
It is primarily used with Azure Data Explorer, Azure Monitor, and Microsoft Sentinel.

What is Kusto Query Language (KQL)?

Kusto Query Language (KQL) is a read-only request language used to explore data and discover patterns. Developed by Microsoft, it is designed to be intuitive and easy to learn, while also being powerful enough for complex data analysis. KQL is the primary language used to query data stored in Azure Data Explorer, Azure Monitor Logs, Microsoft Sentinel, and other Microsoft services.

Key Concepts and Syntax

KQL queries are structured around a sequence of operators, connected by a pipe symbol (`|`). The data flows from one operator to the next, allowing for a step-by-step transformation and analysis of the data. Each operator performs a specific task, such as filtering rows, selecting columns, aggregating data, or joining tables.

Basic Query Structure

A simple KQL query might look like this:

TableName| where ColumnName == 'some_value'| project Column1, Column2

In this example:

TableName: Specifies the table you want to query.
|: The pipe operator, passing the results of the previous operation to the next.
where ColumnName == 'some_value': Filters the rows where the value in ColumnName is exactly 'some_value'.
project Column1, Column2: Selects only Column1 and Column2 from the filtered rows.

Common KQL Operators

Here are some of the most frequently used KQL operators:

take: Returns a specified number of arbitrary records from the dataset. Similar to TOP in SQL. take 10 will return 10 records.
where: Filters rows based on a specified condition. It's crucial for narrowing down your data. Example: where Severity == 'Error'.
project: Selects specific columns to display in the result set, and can also rename columns or create new ones. Example: project Timestamp, Message, ResourceId.
extend: Adds new columns to the result set based on expressions. Example: extend DurationInMinutes = DurationInSeconds / 60.
summarize: Aggregates rows based on specified grouping columns and uses aggregation functions (like count(), avg(), sum(), dcount()) to produce summary statistics. Example: summarize count() by bin(Timestamp, 1h), Level.
join: Combines rows from two tables based on a common key. There are various join kinds (innerunique, leftouter, inner, etc.). Example: Resources | join kind=leftouter (ResourceTypes) on $left.ResourceType == $right.Name.
sort by: Sorts the results in ascending or descending order based on one or more columns. Example: sort by Timestamp desc.
render: Visualizes the query results. Common render types include timechart, piechart, and table. Example: | render timechart.

Data Types and Functions

KQL supports various data types, including strings, integers, decimals, datetimes, booleans, dynamic (JSON), and GUIDs. It also provides a rich set of scalar functions for manipulating these data types, performing calculations, and extracting information. For example:

String functions: strlen(), substring(), split(), contains().
Datetime functions: now(), ago(), format_datetime(), startofday().
Aggregation functions: count(), sum(), avg(), min(), max(), dcount() (distinct count), make_list(), make_set().

Where to Use KQL

KQL is predominantly used within the Microsoft Azure ecosystem:

Azure Data Explorer (ADX): A fast, fully managed data analytics service for real-time analysis on large volumes of streaming data.
Azure Monitor Logs: Collects and analyzes telemetry data from Azure and on-premises environments, using KQL to query logs and metrics.
Microsoft Sentinel: A cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution that leverages KQL for threat hunting and incident analysis.
Other Azure Services: KQL can also be used in services like Azure Log Analytics, Application Insights, and Azure Security Center.

Getting Started with KQL

To start using KQL:

Access a KQL Environment: You'll need access to a service that supports KQL, such as the Azure portal's Log Analytics workspace or Azure Data Explorer web UI.
Understand Your Data Schema: Familiarize yourself with the tables and columns available in your data source.
Start with Simple Queries: Begin by selecting a few columns and filtering data using the take and where operators.
Gradually Add Complexity: As you become more comfortable, incorporate operators like summarize for aggregation and project for shaping your results.
Utilize Documentation and Examples: Microsoft provides extensive documentation, tutorials, and examples for KQL. Referencing these resources is highly recommended.

By understanding these fundamental concepts and practicing with real data, you can effectively leverage KQL for powerful data exploration and analysis.