Kusto Query Language learning resources

  • Article

Applies to: ✅ Azure Data ExplorerAzure MonitorMicrosoft Sentinel

Kusto Query Language (KQL) is a powerful tool to explore your data and discover patterns, identify anomalies and outliers, create statistical modeling, and more. Are you new to KQL or want to improve your KQL skills? Take a look at the following learning resources.

For more information on KQL, see KQL overview.

Demo environment

You can practice Kusto Query Language statements in a Log Analytics demo environment in the Azure portal. There's no charge to use this practice environment, but you do need an Azure account to access it.

Like Log Analytics in your production environment, it can be used in many ways:

  • Choose a table on which to build a query. From the default Tables tab (shown in the red rectangle at the upper left), select a table from the list of tables grouped by topics (shown at the lower left). Expand the topics to see the individual tables, and you can further expand each table to see all its fields (columns). Double-clicking on a table or a field name places it at the point of the cursor in the query window. Type the rest of your query following the table name, as directed below.

  • Find an existing query to study or modify. Select the Queries tab (shown in the red rectangle at the upper left) to see a list of queries available out-of-the-box. Or, select Queries from the button bar at the top right. Double-click a query to place it in the query window at the point of the cursor.

Like in this demo environment, you can query and filter data in the Microsoft Sentinel Logs page. You can select a table and drill down to see columns. You can modify the default columns shown using the Column chooser, and you can set the default time range for queries. If the time range is explicitly defined in the query, the time filter is unavailable (grayed out).

General training

For general information about KQL, see:

Azure Monitor

For more information about KQL in Azure Monitor, see: