kql

KQL Cheat Sheet: The Basics

KQL basics, filtering, selecting, aggregating and joining. Must-know queries for you cyber folk.

Daniel

1 min read
KQL Cheat Sheet: The Basics
KQL - Kusto Cheat Sheet

Basic Syntax

  • Use the | (pipe) operator to separate multiple commands.
  • Use the let keyword to create variables.
  • Use the where keyword to filter results.
  • Use the project keyword to select specific columns.
  • Use the summarize keyword to group and aggregate data.

Filtering Data

  • where keyword: where ColumnName == "Value"
  • in keyword: where ColumnName in ("Value1", "Value2")
  • contains keyword: where ColumnName contains "Value"
  • startswith keyword: where ColumnName startswith "Value"
  • endswith keyword: where ColumnName endswith "Value"
  • has keyword: where ColumnName has "Value"

Selecting Columns

  • Use the project keyword to select specific columns: | project Column1, Column2, ...
  • Use the extend keyword to add calculated columns: | extend NewColumn = Column1 + Column2

Aggregating Data

  • summarize keyword: | summarize Aggregation(Column1), Aggregation(Column2) by Column3
  • count keyword: | summarize count() by Column
  • max keyword: | summarize max(Column) by Column2
  • min keyword: | summarize min(Column) by Column2
  • avg keyword: | summarize avg(Column) by Column2

Joining Data

  • join keyword: Table1 | join kind=inner Table2 on Column1, Column2
  • join with project: Table1 | join kind=inner Table2 on Column1, Column2 | project Column1, Table2.Column2
  • join with summarize: Table1 | join kind=inner Table2 on Column1, Column2 | summarize Aggregation(Column1), Aggregation(Table2.Column2) by Column3

Sign up for more like this.

Enter your email
Subscribe