adaptive.run TECH BLOG

Cloud can be tricky sometimes. Find out what scenarios we've ran into that are worth being mentioned and explained.

Getting started - the basics of Kusto Query Language (KQL) 

Level: 200
Publishing date: 16-Oct-2020
Author: Catalin Popa

If you're planning on doing monitoring and alerting in Azure, then you have to know Kusto Query Language (KQL).

KQL stands for Kusto Query Language. It’s the language used to query the Azure services like Azure Monitor Logs, Azure Monitor Application Insights, Azure Log Analytics Workspaces and more

You won't be using Kusto databases for your ERP or CRM, but they’re perfect for massive amounts of streamed data like application logs.

You might be wondering how this language is structured. Well... in very short terms, it's related to SQL and it looks kind of similar. Let me give you an example - a SQL query looks like this:


SELECT * FROM customers_table WHERE name = 'James'

The exact same thing, but translated into KQL, is this:

customers_table
| where name == 'James'


I'm presuming you already noticed the "|" (pipe) character. For some, that might be familar from when running PowerShell commands. Well, it Kusto it does the same thing - it passes data through into the next command.

Using pipes makes it much easier to grasp what’s going on when you read a query, and it helps structure things when you're authoring a query.

You can chain multiple statements together by piping the data through to further statements:


customers_table
| where name == 'James'
| order by age


As you might have also noticed, comparison operators are not quite the same as in SQL. A full list about the concepts of Kusto can be found in this official Microsoft documentation. While the ideology behind it is similar, you will soon find out that the language is different. I'll just give you some examples:

1) DateTimes are different and more powerful too. For example you can refer to d, h, m, and s for days, hours, minutes and seconds, and use them in queries:

starttime > now(-7d)


2) Counting becomes easier:

SELECT SUM(*) FROM customers_table

will transform to

customers_table
| count


3) Sorting looks also different - ORDER BY in SQL becomes "sort" in KQL:

events_table
| sort by starttime


And examples can be many more, of course. 


CONCLUSION: KQL is a "must" if you're planning to do monitoring and automated alerting in Azure. Most monitoring and logging services in Azure rely on this KQL.

adaptive.run

Transform your business.
Run adaptive.

Contact

Phone: +40 72 444 3842
Email: hello@adaptive.run

Legal and Privacy

Privacy Policy - PPD
A.N.P.C.
A.N.P.C. - SAL

© Copyright  2019-2024 adaptive.run- All Rights Reserved