KQL Cheat Sheet: The Basics
KQL basics, filtering, selecting, aggregating and joining. Must-know queries for you cyber folk.
Basic Syntax
- Use the
|
(pipe) operator to separate multiple commands. - Use the
let
keyword to create variables. - Use the
where
keyword to filter results. - Use the
project
keyword to select specific columns. - Use the
summarize
keyword to group and aggregate data.
Filtering Data
where
keyword:where ColumnName == "Value"
in
keyword:where ColumnName in ("Value1", "Value2")
contains
keyword:where ColumnName contains "Value"
startswith
keyword:where ColumnName startswith "Value"
endswith
keyword:where ColumnName endswith "Value"
has
keyword:where ColumnName has "Value"
Selecting Columns
- Use the
project
keyword to select specific columns:| project Column1, Column2, ...
- Use the
extend
keyword to add calculated columns:| extend NewColumn = Column1 + Column2
Aggregating Data
summarize
keyword:| summarize Aggregation(Column1), Aggregation(Column2) by Column3
count
keyword:| summarize count() by Column
max
keyword:| summarize max(Column) by Column2
min
keyword:| summarize min(Column) by Column2
avg
keyword:| summarize avg(Column) by Column2
Joining Data
join
keyword:Table1 | join kind=inner Table2 on Column1, Column2
join
withproject
:Table1 | join kind=inner Table2 on Column1, Column2 | project Column1, Table2.Column2
join
withsummarize
:Table1 | join kind=inner Table2 on Column1, Column2 | summarize Aggregation(Column1), Aggregation(Table2.Column2) by Column3