Kusto Query Language (KQL) - Part 1
What you'll learn
- An overview of Azure Data Explorer (ADX)
- Azure Data Explorer Web UI and Log Analytics Demo Site
- A deep dive into the essentials of KQL
- The most commonly used KQL operators and functions
- Aggregating data with KQL
- Exporting data to Excel and Power BI
- Ingesting Data into Azure Data Explorer
- No knowledge of Azure required. Some knowledge of SQL would be helpful.
- A Microsoft account will be required to use the Log Analytics demo site. There is no cost involved.
There is a good chance you have already used Azure Data Explorer (ADX) to some degree without knowing it. If you have used Azure Security Center, Azure Sentinel, Application Insights, Resource Graph Explorer, or enabled diagnostics on your Azure resources, then you have used ADX. All these services rely on Log Analytics, which is built on top of ADX and is queried using KQL.
Like many other tools and products, ADX was started by a small group of engineers in Israel around 2015. They needed to solve a problem. A group of developers from Microsoft's Power BI team needed a high-performing big data solution to ingest and analyze their logging and telemetry data. So, of course, they built their own because they could not find a service that met all their needs. This resulted in the Azure Data Explorer, also known as Kusto.
So, what is ADX? It is a fully managed, append-only columnar store big data service capable of elastic scaling and ingesting literally hundreds of billions of rows daily. ADX offers:
Low-latency ingestion and elastic scaling
Cost-efficient (pay as you consume)
Time Series Analysis
Super fast query performance via KQL
Custom built solutions
As great as ADX is, this course is mostly centered around KQL (Kusto Query Language). KQL is the query language for managing all logging and telemetry data stored in ADX. Even if you do not use ADX directly, you will still use KQL for monitoring, analyzing logs, managing assets, exploring security data, and exploring Application Insights data. KQL is ADX's read-only query language that has many similarities with SQL, such as working with tables, columns, and providing functionality for filtering. KQL supports a subset of SQL, and SQL statements can be executed and converted to KQL using the EXPLAIN keyword, reducing the learning curve for engineers with an SQL background.
This is part 1 of a two part series covering ADX (lightly) and the KQL language (mostly). The goal of this course is to cover the basics. At the end of this five hour course you will have a solid understanding of what KQL can do. And it can do a lot! In some respects I like it better than T-SQL which I have used for over 20 years.
Part 2 of this course goes well beyond the basics and will cover many advanced KQL topics and scenarios (and some more ADX).
Who this course is for:
- Anyone needing to analyze data from Azure Security Center, Azure Sentinel, Application Insights, Resource Graph Explorer, or enabled diagnostics on your Azure resources
- Anyone wanting to learn the amazing Kusto Query Language
Microsoft Certified Professional:
Exam 70-778: Analyzing and Visualizing Data with Microsoft Power BI (January 2019 - 80% score)
Exam PL-300: Power BI Data Analyst (December 2022 - 80% score)
Snowflake Core Certification Exam (April 2021 - 90% score)
Seasoned database engineer (OLTP, data warehouses, operational data stores), tabular modeling, business intelligence development, Power BI, Snowflake, Microsoft Fabric and KQL. 20 years of software development using a variety of Microsoft technologies, mostly C#.
2016 Nominee for the First Solar Business Enablement CEO Award for Analytics Tools & Methods Infrastructure.
StackOverflow reputation of 47,000 (top 1%)