Views

Applies to: ✅ Azure Data ExplorerAzure MonitorMicrosoft Sentinel

A view is a virtual table based on the result-set of a Kusto Query Language (KQL) query.

Like real tables, views organize data with rows and columns, and participate in tasks that involve wildcard table name resolution, such as union * and search * scenarios. However, unlike real tables, views don't maintain dedicated data storage. Rather, they dynamically represent the result of a query.

How to define a view

Views are defined through user-defined functions, which come in two forms: query-defined functions and stored functions. To qualify as a view, a function must accept no arguments and yield a tabular expression as its output.

To define a query-defined function as a view, specify the view keyword before the function definition. For an example, see Query-defined view.

To define a stored function as a view, set the view property to true when you create the function. For an example, see Stored view. For more information, see the .create function command.

Examples

Query-defined view

The following query defines two functions: T_view and T_notview. The query results demonstrate that only T_view is resolved by the wildcard reference in the union operation.

let T_view = view () { print x=1 };
let T_notview = () { print x=2 };
union T*

Stored view

The following query defines a stored view. This view behaves like any other stored function, yet can partake in wildcard scenarios.

.create function 
    with (view=true, docstring='Simple demo view', folder='Demo')  
    MyView() { StormEvents | take 100 }