Radek Šlachta – Cloud Engineer

Kusto Query Language (KQL)

23 října, 2020

Basics queries in Kusto query language.

Azure demo environment here.

Mostly used Operators:

Search
Where
Take
Count
Summarize
Extend
Project
Distinct
Top

Search

Perf \| search „Memory“	This searched for a column whose value exactly matched the word Memory.
search in (Perf, Event, Alert) „memory“	A better choice is to limit the search to specific tables.
Perf \| search CounterName==“Available MBytes“	Within a table can search a specific column for an exact value.
Perf \| search CounterName:“MBytes“	Search for the value anywhere in the text in the specific column, return „Available MBytes“, „Used mBytes“ .
Perf \| search „Bytes“	Search across all columns using wildcards.
Perf \| search * startswith „Bytes“	Begins with Bytes then any text after it.
Perf \| search * endswith „Bytes“	Ends with Bytes.
Perf \| search „Free*Bytes“	Begins with Free, ends with bytes, anything in beetwin.
Perf \| search „Free*bytes“ and („C:“ or „D“)	Searches can be combined logically.
Perf \| search InstanceName matches regex „[A-Z]:“	Search also supports regular expressions.

Where

Similar to search, where limits the result set. Rather than looking across columns for values, where limits based on conditions

Perf \| where TimeGenerated >= ago(1h)	Returns all during 1 hour (d – day, h – hours, m – minutes, s – seconds, ms – milliseconds).
Perf \| where TimeGenerated >= ago(1h) and CounterName == „Bytes Received/sec“	Can build up the where by adding to it logically.
Perf \| where TimeGenerated >= ago(1h) and (CounterName == „Bytes Received/sec“ or CounterName == „% Processor Time“)	OR logic is allowed too!
Perf \| where TimeGenerated >= ago(1h) \| where (CounterName == „Bytes Received/sec“ or CounterName == „% Processor Time“) \| where CounterValue > 0	Stackable where operators.
Perf \| where * has „Bytes“	You can simulate search using where. Here it searches all columns in the input for the phrase Bytes somewhere in a column’s value.
Perf \| where * hassuffix „Bytes“	At the start.
Perf \| where * hassuffix „Bytes“	At the end.
Perf \| where * contains „Bytes“	Contains and has behave the same.
Perf \| where InstanceName matches regex „[A-Z]:“	Where supports regex as well.

Take

Take is used to grap a random number of rows from the input data.

Perf \| take 10	Returns 10 random rows.
Perf \| limit 10	Limit is synonym for „Take“.

Count

Perf \| count	Returns the numbers of rows in the input dataset
Perf \| where TimeGenerated >= ago(1h) and CounterName == „Bytes Received/sec“ and CounterValue > 0 \| count	Can also use with other filters.

Summarize

Perf \| summarize count() by CounterName	Summariaze allows you count number or rows by column using the count() aggregation function.
Perf \| summarize count() by ObjectName,CounterName	Can break down by multiple columns.
Perf \| summarize PerfCount=count() by ObjectName, CounterName	You can rename the output column for count.
Perf \| where CounterName == „% Free Space“ \| summarize NumberOfEntries=count(), AverageFreeSpace=avg(CounterValue) by CounterName	With Summarize, you can use other aggregation functions.
Perf \| summarize NuberOfEntries=count() by bin(TimeGenerated, 1d)	Bin allows you to summarize into logical groups, like days.
Perf \| summarize NuberOfEntries=count() by CounterName, bin(TimeGenerated, 1d)	Can bin at multiple levels.

Extends

Perf \| where CounterName == „Free Megabytes“ \| extend FreeGB = CounterValue / 1000	Extend creates c calculated column and adds to the result set.
Perf \| where CounterName == „Free Megabytes“ \| extend FreeGB = CounterValue / 1000, FreeKB = CounterValue * 1000	Can extend multiple columns at the same time.
Perf \| where TimeGenerated >= ago(10m) \| extend ObjectName = strcat(ObjectName, “ – „, CounterName)	Can also use with strcat to create new string colums.

Project

Perf \| project ObjectName, CounterName, InstanceName, CounterValue, TimeGenerated	Project allows you to select a subset of columns.
Perf \| where CounterName ==“Free Megabytes“ \| project ObjectName, CounterName, InstanceName, CounterValue, TimeGenerated \| extend FreeGB = CounterValue /1000, FreeMB = CounterValue, FreeKB = CounterValue * 1000	Combine Project with Extend.
Perf \| where CounterName ==“Free Megabytes“ \| project ObjectName, CounterName, InstanceName, CounterValue, TimeGenerated, FreeGB = CounterValue /1000, FreeMB = CounterValue, FreeKB = CounterValue * 1000	Project can simulate the extend.
Perf \| where TimeGenerated > ago(1h) \| project-away TenantId, SourceSystem, CounterPath, MG	There is a variant called project-away. It will project except the columns listed.
Perf \| where TimeGenerated > ago(1h) \| project-rename myRenamedComputer = Computer	If you only want to rename a column, then another variant of project is project-rename. It will rename the specified column but then pass the rest of the columns through.

Distinct

Perf \| distinct ObjectName, CounterName	Return a list of deduplicated values fro columns for the input dataset
Event \| where EventLevelName == „Error“ \| distinct Source	Distinct can be used to limit a result set. Get a list of all sources that had an error event.

Top

Perf | top 20 by TimeGenerated desc

Top returns the first N rows of the dataset when the dataset is sirted by the „by“ clause.

Scalar Operators

print „Hello World“	Print can be used to display output to the result grid. It is primarily a debugging tool. You can use it for static text.
print 2 * 3	More commonly to confirm calculations.
print NameOfColumnt = 2 * 3	You can also name the output column.
print now()	Returns the current date/time.
print ago(1d) print ago(1h) print ago(1m) print ago(1s) print ago(1ms) print ago(-1d) print ago(-365d)	Back 1 day Back 1 hour Back 1 minute Back 1 second Tomorrow 1 year in the future
Perf \| where TimeGenerated > ago(1h) \| where CounterName == „Avg. Disk sec/Red“ and InstanceName == „C:“ \| project Computer, TimeGenerated, ObjectName, CounterName, InstanceName, CounterValue \| sort by Computer, TimeGenerated	Sort will sort the output od a query. „Sort by“ could be replaced by „order by“
Perf \| where ObjectName == „LogicalDisk“ and InstanceName matches regex „[A-Z]:“ \| project Computer, CounterName, extract(„[A-Z]:“,1,InstanceName)	Extract pulls part of a passed in string (the third parameter) base on the regular expression place inside parnethesis. The second param detemines what is returned. A 0 returns whe wholw epression
Perf \| where ObjectName == „LogicalDisk“ and InstanceName matches regex „[A-Z]:“ \| project Computer, CounterName, extract(„([A-Z]):“,1,InstanceName)	When the second param is 1, it returns just the part in the parenthesis.
Event \| where RenderedDescription startswith „Event code: “ \| parse RenderedDescription with „Event code: “ myEventCode „Event message: “ myEventMessage „Event time: “ myEventTime „Event time (UTC): “ myEventTimeUTC „Event ID: “ myEventID „Event sequence: “ myEventSequence „Event occurrence: “ * \| project myEventCode, myEventMessage, myEventTime, myEventTimeUTC, myEventID, myEventSequence	Evaluates a string expression and parses its value into one or more calculated columns. The calculated columns will have nulls, for unsuccessfully parsed strings. For more information, see the parse-where operator.
Perf \| where CounterName == „AVG. Disk sec/Read“ \| where CounterValue > 0 \| take 10 \| extend HowLongAgo=( now() – TimeGenerated) \| project Computer, CounterName, TimeGenerated, HowLongAgo	Determine how long ago a counter was generated
Perf \| where CounterName == „AVG. Disk sec/Read“ \| where CounterValue > 0 \| take 10 \| extend HowLongAgo=( now() – TimeGenerated), TimeSinceStartOfYear=(TimeGenerated – datetime(2019-01-01)) \| project Computer, CounterName, TimeGenerated, HowLongAgo, TimeSinceStartOfYear	Time since a specifig date (i.e. star of the year)