Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: ✅ Azure Data Explorer ✅ Azure Monitor ✅ Microsoft Sentinel
Kusto Query Language (KQL) is a powerful tool to explore your data and discover patterns, identify anomalies and outliers, create statistical modeling, and more. Are you new to KQL or want to improve your KQL skills? Take a look at the following learning resources.
For more information on KQL, see KQL overview.
Demo environment
You can practice Kusto Query Language statements in a Log Analytics demo environment in the Azure portal. There's no charge to use this practice environment, but you do need an Azure account to access it.
Like Log Analytics in your production environment, it can be used in many ways:
Choose a table on which to build a query. From the default Tables tab (shown in the red rectangle at the upper left), select a table from the list of tables grouped by topics (shown at the lower left). Expand the topics to see the individual tables, and you can further expand each table to see all its fields (columns). Double-clicking on a table or a field name places it at the point of the cursor in the query window. Type the rest of your query following the table name, as directed below.
Find an existing query to study or modify. Select the Queries tab (shown in the red rectangle at the upper left) to see a list of queries available out-of-the-box. Or, select Queries from the button bar at the top right. Double-click a query to place it in the query window at the point of the cursor.
Like in this demo environment, you can query and filter data in the Microsoft Sentinel Logs page. You can select a table and drill down to see columns. You can modify the default columns shown using the Column chooser, and you can set the default time range for queries. If the time range is explicitly defined in the query, the time filter is unavailable (grayed out).
General training
For general information about KQL, see:
- Pluralsight: KQL from scratch
- Kusto Detective Agency
- Tutorial: Learn common operators
- Tutorial: Use aggregation functions
- Tutorial: Join data from multiple tables
- Cloud Academy: Introduction to Kusto Query Language
Azure Data Explorer
For more information about KQL in Azure Data Explorer, see:
Azure Monitor
For more information about KQL in Azure Monitor, see:
Microsoft Sentinel
For more information about KQL in Microsoft Sentinel, see: