Graph operators
Applies to: ✅ Azure Data Explorer ✅ Azure Monitor ✅ Microsoft Sentinel
Kusto Query Language (KQL) graph operators enable graph analysis of data by representing tabular data as a graph with nodes and edges. This setup lets us use graph operations to study the connections and relationships between different data points.
Graph analysis is typically comprised of the following steps:
- Prepare and preprocess the data using tabular operators
- Build a graph from the prepared tabular data using make-graph
- Perform graph analysis using graph-match
- Transform the results of the graph analysis back into tabular form using graph-to-table
- Continue the query with tabular operators
Supported graph operators
The following table describes the supported graph operators.
Operator | Description |
---|---|
make-graph | Builds a graph from tabular data. |
graph-match | Searches for patterns in a graph. |
graph-to-table | Builds nodes or edges tables from a graph. |
Graph model
A graph is modeled as a directed property graph that represents the data as a network of vertices, or nodes, connected by edges. Both nodes and edges can have properties that store more information about them, and a node in the graph must have a unique identifier. A pair of nodes can have multiple edges between them that have different properties or direction. There's no special distinction of labels in the graph, and any property can act as a label.
Graph lifetime
A graph is a transient object. It's built in each query that contains graph operators and ceases to exist once the query is completed. To persist a graph, it has to first be transformed back into tabular form and then stored as edges or nodes tables.
Limitations and recommendations
The graph object is built in memory on the fly for each graph query. As such, there's a performance cost for building the graph and a limit to the size of the graph that can be built.
Although it isn't strictly enforced, we recommend building graphs with at most 10 million elements (nodes and edges). The actual memory limit for the graph is determined by query operators memory limit.