Quick Reference

A majority of the commands that you will need to be familiar with are captured here in the quick reference guide below.

Operator/Function	Description	Syntax
Filter/Search/Condition	Find relevant data by filtering or searching
where	Filters on a specific predicate	T | where Predicate
where contains/has	Contains: Looks for any substring match Has: Looks for a specific word (better performance)	T | where col1 contains/has "[search term]"
search	Searches all columns in the table for the value	[TabularSource |] search [kind=CaseSensitivity] [in (TableSources)] SearchPredicate
take	Returns the specified number of records. Use to test a query Note: take and limit are synonyms.	T | take NumberOfRows
case	Adds a condition statement, similar to if/then/elseif in other systems.	case(predicate_1, then_1, predicate_2, then_2, predicate_3, then_3, else)
distinct	Produces a table with the distinct combination of the provided columns of the input table	distinct [ColumnName], [ColumnName]
Date/Time	Operations that use date and time functions
ago	Returns the time offset relative to the time the query executes. For example, ago(1h) is one hour before the current clock's reading.	ago(a_timespan)
format_datetime	Returns data in various date formats.	format_datetime(datetime , format)
bin	Rounds all values in a timeframe and groups them	bin(value,roundTo)
Create/Remove Columns	Add or remove columns in a table
print	Outputs a single row with one or more scalar expressions	print [ColumnName =] ScalarExpression [',' ...]
project	Selects the columns to include in the order specified	T | project ColumnName [= Expression] [, ...] Or T | project [ColumnName | (ColumnName[,]) =] Expression [, ...]
project-away	Selects the columns to exclude from the output	T | project-away ColumnNameOrPattern [, ...]
project-keep	Selects the columns to keep in the output	T | project-keep ColumnNameOrPattern [, ...]
project-rename	Renames columns in the result output	T | project-rename new_column_name = column_name
project-reorder	Reorders columns in the result output	T | project-reorder Col2, Col1, Col* asc
extend	Creates a calculated column and adds it to the result set	T | extend [ColumnName | (ColumnName[, ...]) =] Expression [, ...]
Sort and Aggregate Dataset	Restructure the data by sorting or grouping them in meaningful ways
sort operator	Sort the rows of the input table by one or more columns in ascending or descending order	T | sort by expression1 [asc|desc], expression2 [asc|desc], …
top	Returns the first N rows of the dataset when the dataset is sorted using by	T | top numberOfRows by expression [asc|desc] [nulls first|last]
summarize	Groups the rows according to the by group columns, and calculates aggregations over each group	T | summarize [[Column =] Aggregation [, ...]] [by [Column =] GroupExpression [, ...]]
count	Counts records in the input table (for example, T) This operator is shorthand for summarize count()	T | count
join	Merges the rows of two tables to form a new table by matching values of the specified column(s) from each table. Supports a full range of join types: fullouter, inner, innerunique, leftanti, leftantisemi, leftouter, leftsemi, rightanti, rightantisemi, rightouter, rightsemi	LeftTable | join [JoinParameters] ( RightTable ) on Attributes
union	Takes two or more tables and returns all their rows	[T1] | union [T2], [T3], …
range	Generates a table with an arithmetic series of values	range columnName from start to stop step step
Format Data	Restructure the data to output in a useful way
lookup	Extends the columns of a fact table with values looked-up in a dimension table	T1 | lookup [kind = (leftouter|inner)] ( T2 ) on Attributes
mv-expand	Turns dynamic arrays into rows (multi-value expansion)	T | mv-expand Column
parse	Evaluates a string expression and parses its value into one or more calculated columns. Use for structuring unstructured data.	T | parse [kind=regex [flags=regex_flags] |simple|relaxed] Expression with * (StringConstant ColumnName [: ColumnType]) *...
make-series	Creates series of specified aggregated values along a specified axis	T | make-series [MakeSeriesParamters] [Column =] Aggregation [default = DefaultValue] [, ...] on AxisColumn from start to end step step [by [Column =] GroupExpression [, ...]]
let	Binds a name to expressions that can refer to its bound value. Values can be lambda expressions to create query-defined functions as part of the query. Use let to create expressions over tables whose results look like a new table.	let Name = ScalarExpression | TabularExpression | FunctionDefinitionExpression
General	Miscellaneous operations and function
invoke	Runs the function on the table that it receives as input.	T | invoke function([param1, param2])
evaluate pluginName	Evaluates query language extensions (plugins)	[T |] evaluate [ evaluateParameters ] PluginName ( [PluginArg1 [, PluginArg2]... )
Visualization	Operations that display the data in a graphical format
render	Renders results as a graphical output	T | render Visualization [with (PropertyName = PropertyValue [, ...] )]

KQL quick reference - KustoMicrosoftLearn