Wilson Mar bio photo

Wilson Mar

Hello!

Calendar YouTube Github Acronyms

LinkedIn

Adds filters missing in GraphQL. Adds graphs missings in SQL. The one language to rule logs.

US (English)   Norsk (Norwegian)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Estonian   اَلْعَرَبِيَّةُ (Egypt Arabic)   Napali   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean

Overview

kql.png Kusto is named after pioneering Oceanographer Jacque Custou (pronounced “Kusto”). Like the language, he dove deep into a vast ocean for new insights.

NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.

Compared to SQL, KQL is less verbose.

But KQL is proprietary to Microsoft.

KQL is used in several Azure products, including Microsoft’s Azure Data Explorer (ADX) offering. The ADX managed SaaS service (GA 2019) for big data exploration in NRT (Near Real Time).

Log Analytics is a tool in the Azure portal to edit and run log queries from data collected by Azure Monitor logs – to interactively analyze their results. Use Log Analytics queries to retrieve records that match particular criteria, identify trends, analyze patterns, and provide various insights into your data.

This example of a KQL query draws data from the Heartbeat dataset. rendered as a timechart:

kql-logs-query-example-2237x1597

REMEMBER: The KQL language is read-only (does not update data). There is a limit of 5 GB in KQL queries.

Tutorials

On Microsoft Learn (for XP points): text-based:

On OReilly.com:

https://github.com/oreillymedia/Hands-On-Kusto-Query-Language

https://github.com/razi-rais/Microsoft-Security-Operations-Analyst-Bootcamp/tree/main/resources

YouTube videos:

CxE KQL hands-on lab exercises videos:

On Pluralsight.com:

GenAI chat

The Microsoft Security Copilot service (https://securitycopilot.microsoft.com/) offers a chat interface to interact with the Security Copilot service.

Hands-on a sample database

  1. Open demo data from Microsoft:

    https://aka.ms/LADemo which resolves to:
    https://portal.loganalytics.io/demo

  2. Click this to open the Log Analytics demo environment:

    https://portal.azure.com/#blade/Microsoft_Azure_Monitoring_Logs/DemoLogsBlade

    Learn more about Log Analytics: Quickly retrieve, consolidate, and analyze all data collected into Azure Monitoring Logs. Save your queries for future use, pin query results to Azure Dashboards, and create log alerts.

    Query Language: Log Analytics uses a version of the Kusto Query language (KQL) that is suitable for both simple and advanced log queries using functionality such as aggregations, joins, and smart analytics.

  3. Click the X at the upper-right to close the introduction modal page, for the “Logs Demo” page on the Portal, with “New Query 1” tab.

  4. Click “Not now” to pop-up “Select a table or choose one of the categories on the left to see tables, queries, functions, and query history. Click Run to get query results.”

    az-kql-logs-2158x648.png

    Icons on the left:

    • Tables
    • Queries
    • Functions
    • Query history
  5. Click “Simple mode” (for clicking GUI) at the right to switch to “KQL mode” (for typing commands). For repeatability, make it your default.

    Sample KQL Queries

  6. Click “Queries hub” to see all saved queries.
  7. Click “Community Git repo” at the top to see the “open repo for Azure Monitor queries, workbooks, alerts and more”:

    https://github.com/microsoft/AzureMonitorCommunity

  8. Click through its folders to see:

    • Azure Services
    • Scenarios
    • Solutions

    There is also:
    https://github.com/Azure/Azure-Sentinel/blob/master/Hunting

  9. Click “Query explorer” tab at the right.
  10. Expand “Saved Queries”
  11. Double-click on “Pluralsight” to expand the category.
  12. Click to open “m2-table-80-percent”.

    OBSERVE: Clicking completely replaces the existing KQL entry, without needing to clear it first.

    // precede all comments in code.

  13. Highlight a query, click blue “Run” or hold down Shift and press Enter.

    CAUTION: “No result” will be returned if there is no data.

    “Perf” is the table name to search in. This table has these fields visible:

    TenantId Computer ObjectName ObjectName CounterName InstanceName
  14. To see more columns, drag the horizonal bar or on the Touchpad move two fingers to the left:

    CounterValue CounterPath StandardDeviation Type
    _ResourceID TenantID SourceSystem MG
  15. PROTIP: The full list of columns for this and all other tables is:

    https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/perf

  16. Set the Time Frame or set in the script text:

    | where TimeGenerated >= ago(1h)

    PROTIP: Several where statements can be stacked.

    Operators

  17. For operators, click on the KQL query text area and press command+Enter:

    • where - filter
    • count
    • extend - creates a calculated column in the result set (before project)
    • join
    • limit
    • lookup
    • order
    • project - select a subset of columns (instead of all columns from table)
    • project-away - remove column

  18. To scroll for more, mouse over the list and slide two-fingers on the Mac Touchpad:

    • sort
    • summarize
    • search

    • distinct - to not repeat values shown
    • make-series
    • mv-apply
    • mv-expand
    • take 5 // return 5 records
    • top 20 // rows
    • top-nested …

    The Pluralsight video covers search, where, take, count, summarize, extend, project, distinct.

    Examples to limit too much being returned (and wasting time):

    | search kind=case_sensitive "memory"
    | search in (Perf, Event, Alert) "Contoso"
  19. Use colon to search text wildcard:

    | search CounterName:"MBytes"
  20. Limit column:

    | search * starswith "Bytes"
    | search * endswith "Bytes"
    | search "Free*Bytes" // Any that Begins with free or ends with bytes
    
    | search InstanceName matches regex "[A-Z]:*"
    
    
    
  21. Click “m3-demo-scalar” explained by this VIDEO covering Scalar Operators:

    print, now() UTC, ago(-7d), sort by asc, extract, parse, datetime, Timespan Artithmetic, startof…, endof…, between, todynamic, format_datetime, format_timespan, datetime_aart, case, iif, isempty/isnull, split, String Operators, strcat

  22. Click “m4-demo-advanced-aggregations” explained by this VIDEO

    • summarize arg_max/arg_min( column ),
    • makelist - flaten a hierarchy to a JSON array, allowing dup. values
    • makeset - flaten a hierarchy to a JSON array, removing dup. values

    For a list of PCs with low disk space:

    Perf
    | where CounterName == "% Free Space"
    |   and CounterValue <= 30
    | summarize Computers = makeset(Computer)
    
    • mvexpand, percentiles, dcount (distinct count, accuracy), dcountif, countif, pivot, top-nested, max/min, sum/sumif, any

Datasets

  1. Click “m5-demo-working-with-datasets” explained by this VIDEO

    • let, join (tables), union (combine) with source, kind=outer
    • datatable, prev/next, toscalar, row_cumsum, materialize

Time Series

  1. Click “m6-demo-time-series” explained by this VIDEO

Machine Learning

  1. Click “m7-data-machine-learning” explained by this VIDEO Machine Learning

    • evaulate basket(threshold) - for the most frequently appearing combination of attributes, given the threshold for minimum frequency (default 0.05 or 5%)
    • autocluster
    • evaulate diffpatterns(EventLevelName, ‘Error’, ‘Warning’) // splits dataset to identify differences as “Error” or “Warning”. Use iif to flag metrics before and after the incident.
    • reduce by Computer with threshold = 0.6 // to determine pattern, with default threshold of 0.1.

Exporting data to CSV

  1. Click “m8-exporting-data” explained by this VIDEO

  2. To export to CSV file, run query and click the export icon.
  3. Select Export to CSV - all columns or display columns.
  4. In the pop-up at the bottom, click Save As.
  5. Specify the folder and file name.

Run KSL in PowerBI Desktop

  1. Copy the Query to your Clipboard.
  2. Download and install PowerBI Desktop from https://powerbi.microsoft.com/desktop
  3. Open PowerBI
  4. In Home group, Get Data - Blank Query
  5. Advanced Editor
  6. Paste the query (command+V). Done runs the query.
  7. Close and apply changes.
  8. Create visualizations, etc.

More examples

Events
| where StartTime >= datetime(2018-11-01) and StartTime < datetime(2018-12-01)
| where State == "FLORIDA"  
| count
   

KQL in Data Explorer

  1. Pluralsight VIDEO course Microsoft Azure Data Explorer - Advanced KQL by Robert Cain.

  2. Download and expand microsoft-azure-data-explorer-advanced-query-capabilities.zip to view folder module-05-performing-diagnostic-and-root-cause-analysis.

  3. ??? Load into Azure

    covers functions,

    inline Python & R code (converted to KQL string by highlighting then Ctrl+K & Ctrl+S).

    Analyze data using geospatial analysis,

    Root Cause Analysis Diagnostics

    clustering algorithms, time series analysis.

    Exploring data using Kusto

  4. Exploring Data in Microsoft Azure Using Kusto Query Language and Azure Data Explorer, download exercise file microsoft-azure-data-exploring.zip (to your Downloads folder) and unzip. In folder coursfiles, ??

JMESPath

The https://github.com/jmespath/jmespath.terminal Python package offers an interactive environment to work with queries. Data is piped as input, and then queries are written and run in the editor:

pip install jmespath-terminal
az vm list --output json | jpterm
   

From: https://docs.microsoft.com/en-us/cli/azure/query-azure-cli


More on Azure

This is one of a series on Azure:

  1. DevOps_2.0
  2. ci-cd (Continuous Integration and Continuous Delivery)
  3. User Stories for DevOps
  4. Enterprise Software)

  5. Git and GitHub vs File Archival
  6. Git Commands and Statuses
  7. Git Commit, Tag, Push
  8. Git Utilities
  9. Data Security GitHub
  10. GitHub API
  11. TFS vs. GitHub

  12. Choices for DevOps Technologies
  13. Pulumi Infrastructure as Code (IaC)
  14. Java DevOps Workflow
  15. Okta for SSO & MFA

  16. AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
  17. AWS server deployment options
  18. AWS Load Balancers

  19. Cloud services comparisons (across vendors)
  20. Cloud regions (across vendors)
  21. AWS Virtual Private Cloud

  22. Azure Cloud Onramp (Subscriptions, Portal GUI, CLI)
  23. Azure Certifications
  24. Azure Cloud

  25. Azure Cloud Powershell
  26. Bash Windows using Microsoft’s WSL (Windows Subsystem for Linux)
  27. Azure KSQL (Kusto Query Language) for Azure Monitor, etc.

  28. Azure Networking
  29. Azure Storage
  30. Azure Compute
  31. Azure Monitoring

  32. Digital Ocean
  33. Cloud Foundry

  34. Packer automation to build Vagrant images
  35. Terraform multi-cloud provisioning automation
  36. Hashicorp Vault and Consul to generate and hold secrets

  37. Powershell Ecosystem
  38. Powershell on MacOS
  39. Powershell Desired System Configuration

  40. Jenkins Server Setup
  41. Jenkins Plug-ins
  42. Jenkins Freestyle jobs
  43. Jenkins2 Pipeline jobs using Groovy code in Jenkinsfile

  44. Docker (Glossary, Ecosystem, Certification)
  45. Make Makefile for Docker
  46. Docker Setup and run Bash shell script
  47. Bash coding
  48. Docker Setup
  49. Dockerize apps
  50. Docker Registry

  51. Maven on MacOSX

  52. Ansible
  53. Kubernetes Operators
  54. OPA (Open Policy Agent) in Rego language

  55. MySQL Setup

  56. Threat Modeling
  57. SonarQube & SonarSource static code scan

  58. API Management Microsoft
  59. API Management Amazon

  60. Scenarios for load
  61. Chaos Engineering