Hamish Burke | 2025-06-30

Related to:

Kusto Query Language

• Query language used in
  • Azure Monitor logs
  • Log Analytics
  • Application Insights
• Pipe based
• Case sensitive
• Is readonly - can't write to tables

Basic Syntax

TableName
| where Column == "value"
| project Column1, Column2
| summarize count() by Column3
| order by Timestamp desc

Common Commands

• project: Select column (same as in Relational Algebra)
• where: Filter rows (same as in Structured Query Language (SQL))
• summarize: Aggregates (like GROUP BY)
• extend: Adds new calculated columns (eg count of smth)
  • eg | extend RiskScore = CveSeverityLevel == "High" ? 10 : 1
• order by: Sorts result
• limit: Limits row amount shown
• join: Join tables
• let: Declare variables
• parse: Extracts stuff with regex
• mv-expand: Explodes an array into multiple diff rows
• render: makes charts
• toscalar(): pulls a single-result table into a scalar for use in calculations or thresholds
• bin(): Trend analysis
• make-series: Time-series aggregations
• ago(): relative time filters
  • | where FirstObserved > ago(30d)