Quick Reference

A majority of the commands that you will need to be familiar with are captured here in the quick reference guide below.

Operator/Function
Description
Syntax

Filter/Search/Condition

Find relevant data by filtering or searching

where

Filters on a specific predicate

T | where Predicate

where contains/has

Contains: Looks for any substring match Has: Looks for a specific word (better performance)

T | where col1 contains/has "[search term]"

search

Searches all columns in the table for the value

[TabularSource |] search [kind=CaseSensitivity] [in (TableSources)] SearchPredicate

take

Returns the specified number of records. Use to test a query Note: take and limit are synonyms.

T | take NumberOfRows

case

Adds a condition statement, similar to if/then/elseif in other systems.

case(predicate_1, then_1, predicate_2, then_2, predicate_3, then_3, else)

distinct

Produces a table with the distinct combination of the provided columns of the input table

distinct [ColumnName], [ColumnName]

Date/Time

Operations that use date and time functions

ago

Returns the time offset relative to the time the query executes. For example, ago(1h) is one hour before the current clock's reading.

ago(a_timespan)

format_datetime

Returns data in various date formats.

format_datetime(datetime , format)

bin

Rounds all values in a timeframe and groups them

bin(value,roundTo)

Create/Remove Columns

Add or remove columns in a table

print

Outputs a single row with one or more scalar expressions

print [ColumnName =] ScalarExpression [',' ...]

project

Selects the columns to include in the order specified

T | project ColumnName [= Expression] [, ...] Or T | project [ColumnName | (ColumnName[,]) =] Expression [, ...]

project-away

Selects the columns to exclude from the output

T | project-away ColumnNameOrPattern [, ...]

project-keep

Selects the columns to keep in the output

T | project-keep ColumnNameOrPattern [, ...]

project-rename

Renames columns in the result output

T | project-rename new_column_name = column_name

project-reorder

Reorders columns in the result output

T | project-reorder Col2, Col1, Col* asc

extend

Creates a calculated column and adds it to the result set

T | extend [ColumnName | (ColumnName[, ...]) =] Expression [, ...]

Sort and Aggregate Dataset

Restructure the data by sorting or grouping them in meaningful ways

sort operator

Sort the rows of the input table by one or more columns in ascending or descending order

T | sort by expression1 [asc|desc], expression2 [asc|desc], …

top

Returns the first N rows of the dataset when the dataset is sorted using by

T | top numberOfRows by expression [asc|desc] [nulls first|last]

summarize

Groups the rows according to the by group columns, and calculates aggregations over each group

T | summarize [[Column =] Aggregation [, ...]] [by [Column =] GroupExpression [, ...]]

count

Counts records in the input table (for example, T) This operator is shorthand for summarize count()

T | count

join

Merges the rows of two tables to form a new table by matching values of the specified column(s) from each table. Supports a full range of join types: fullouter, inner, innerunique, leftanti, leftantisemi, leftouter, leftsemi, rightanti, rightantisemi, rightouter, rightsemi

LeftTable | join [JoinParameters] ( RightTable ) on Attributes

union

Takes two or more tables and returns all their rows

[T1] | union [T2], [T3], …

range

Generates a table with an arithmetic series of values

range columnName from start to stop step step

Format Data

Restructure the data to output in a useful way

lookup

Extends the columns of a fact table with values looked-up in a dimension table

T1 | lookup [kind = (leftouter|inner)] ( T2 ) on Attributes

mv-expand

Turns dynamic arrays into rows (multi-value expansion)

T | mv-expand Column

parse

Evaluates a string expression and parses its value into one or more calculated columns. Use for structuring unstructured data.

T | parse [kind=regex [flags=regex_flags] |simple|relaxed] Expression with * (StringConstant ColumnName [: ColumnType]) *...

make-series

Creates series of specified aggregated values along a specified axis

T | make-series [MakeSeriesParamters] [Column =] Aggregation [default = DefaultValue] [, ...] on AxisColumn from start to end step step [by [Column =] GroupExpression [, ...]]

let

Binds a name to expressions that can refer to its bound value. Values can be lambda expressions to create query-defined functions as part of the query. Use let to create expressions over tables whose results look like a new table.

let Name = ScalarExpression | TabularExpression | FunctionDefinitionExpression

General

Miscellaneous operations and function

invoke

Runs the function on the table that it receives as input.

T | invoke function([param1, param2])

evaluate pluginName

Evaluates query language extensions (plugins)

[T |] evaluate [ evaluateParameters ] PluginName ( [PluginArg1 [, PluginArg2]... )

Visualization

Operations that display the data in a graphical format

render

Renders results as a graphical output

T | render Visualization [with (PropertyName = PropertyValue [, ...] )]

LogoKQL quick reference - KustoMicrosoftLearn

Last updated