Basic Queries
Overview:
The following section goes over the basic queries that can be run within KQL.
Data Retrieval
Selecting Columns
Use the
projectoperator to select specific columns from a table.Example with security logs:
Filtering Rows with
whereClauseThe
whereclause filters rows based on a condition.Example to filter security logs for logon events:
Multiple conditions can be combined using logical operators (
and,or,not).Example to filter for successful logons by a specific user:
Sorting and Limiting Data
Using
sort byThe
sort byoperator sorts the results by one or more columns.Example to sort security logs by time:
Limiting Results with
topandtakeThe
topoperator returns the top N rows based on a specific column.Example to get the top 10 most recent security events:
The
takeoperator returns the first N rows from the result set.Example to take the first 5 rows from the security event log:
Aggregating Data
Using
summarizefor AggregationsThe
summarizeoperator is used for data aggregation, such as calculating sums, averages, counts, etc.Example to count the number of events per computer:
Aggregations can be grouped by one or more columns.
Example to count the number of logon events per account:
Common Aggregation Functions
sum(): Calculates the sum of values.count(): Counts the number of rows.avg(): Calculates the average of values.min(),max(): Finds the minimum and maximum values.
Last updated