Views
Applies to: ✅ Azure Data Explorer ✅ Azure Monitor ✅ Microsoft Sentinel
A view is a virtual table based on the result-set of a Kusto Query Language (KQL) query.
Like real tables, views organize data with rows and columns, and participate in tasks that involve wildcard table name resolution, such as union * and search * scenarios. However, unlike real tables, views don't maintain dedicated data storage. Rather, they dynamically represent the result of a query.
How to define a view
Views are defined through user-defined functions, which come in two forms: query-defined functions and stored functions. To qualify as a view, a function must accept no arguments and yield a tabular expression as its output.
To define a query-defined function as a view, specify the view
keyword before the function definition. For an example, see Query-defined view.
To define a stored function as a view, set the view
property to true
when you create the function. For an example, see Stored view. For more information, see the .create function command.
Examples
Query-defined view
The following query defines two functions: T_view
and T_notview
. The query results demonstrate that only T_view
is resolved by the wildcard reference in the union operation.
let T_view = view () { print x=1 };
let T_notview = () { print x=2 };
union T*
Stored view
The following query defines a stored view. This view behaves like any other stored function, yet can partake in wildcard scenarios.
.create function
with (view=true, docstring='Simple demo view', folder='Demo')
MyView() { StormEvents | take 100 }