KQL (Kusto Query Language)

Adds filters missing in GraphQL. Adds graphs missings in SQL. The one language to rule logs.

                       

Overview

• Tutorials
• GenAI chat
• Hands-on a sample database
  • Sample KQL Queries
  • Operators
  • Datasets
  • Time Series
  • Machine Learning
  • Exporting data to CSV
• Run KSL in PowerBI Desktop
• More examples
  • KQL in Data Explorer
  • Exploring data using Kusto
• JMESPath
• More on Azure

Kusto is named after pioneering Oceanographer Jacque Custou (pronounced “Kusto”). Like the language, he dove deep into a vast ocean for new insights.

NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.

Compared to SQL, KQL is less verbose.

But KQL is proprietary to Microsoft.

KQL is used in several Azure products, including Microsoft’s Azure Data Explorer (ADX) offering. The ADX managed SaaS service (GA 2019) for big data exploration in NRT (Near Real Time).

Log Analytics is a tool in the Azure portal to edit and run log queries from data collected by Azure Monitor logs – to interactively analyze their results. Use Log Analytics queries to retrieve records that match particular criteria, identify trends, analyze patterns, and provide various insights into your data.

This example of a KQL query draws data from the Heartbeat dataset. rendered as a timechart:

REMEMBER: The KQL language is read-only (does not update data). There is a limit of 5 GB in KQL queries.

Tutorials

On Microsoft Learn (for XP points): text-based:

• https://docs.microsoft.com/en-us/azure/data-explorer

• https://docs.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference

• This article on KQL is one of Neeraj Kumar’s excellent series on data science using Azure.

• https://learn.microsoft.com/en-us/training/paths/analyze-monitoring-data-with-kql/

• Tutorial: Use Log Analytics” on the Azure Monitor Documentation pages at
  https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-tutorial

• https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/

  • https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/best-practices

  • https://github.com/Azure/Azure-Security-Center/tree/master/Kusto/Azure%20Resource%20Graph

On OReilly.com:

https://github.com/oreillymedia/Hands-On-Kusto-Query-Language

https://github.com/razi-rais/Microsoft-Security-Operations-Analyst-Bootcamp/tree/main/resources

YouTube videos:

CxE KQL hands-on lab exercises videos:

• part 1 of 3 by Ofer Shezaf [Deck]

• part 2 of 3 [Deck]

• part 3 of 3 [Deck]

On Pluralsight.com:

• 4 hr VIDEO COURSE: “Kusto Query Language (KQL) from scratch” by Robert Cain, who also has an Advanced course.

• this Pluralsight VIDEO)

• 2.45 hr VIDEO COURSE: Exploring Data in Microsoft Azure Using Kusto Query Language and Azure Data Explorer by Neeraj Kumar (@mstechtrainings) makes use of NOAA’s Storm Events Database.

• 4h VIDEO COURSE: How to Start with Microsoft Azure Data Explorer (ADX) 29 Jun 2020 by Xavier Morera

  • https://www.pluralsight.com/partners/microsoft/azure-data-explorer
  • https://docs.microsoft.com/en-us/azure/data-explorer/security-baseline
    
    

GenAI chat

The Microsoft Security Copilot service (https://securitycopilot.microsoft.com/) offers a chat interface to interact with the Security Copilot service.

Hands-on a sample database

1. Open demo data from Microsoft:

   https://aka.ms/LADemo which resolves to:
   https://portal.loganalytics.io/demo

2. Click this to open the Log Analytics demo environment:

   https://portal.azure.com/#blade/Microsoft_Azure_Monitoring_Logs/DemoLogsBlade

   Learn more about Log Analytics: Quickly retrieve, consolidate, and analyze all data collected into Azure Monitoring Logs. Save your queries for future use, pin query results to Azure Dashboards, and create log alerts.

   • Learn More

   Query Language: Log Analytics uses a version of the Kusto Query language (KQL) that is suitable for both simple and advanced log queries using functionality such as aggregations, joins, and smart analytics.

   • Learn the query language
   • Online course

3. Click the X at the upper-right to close the introduction modal page, for the “Logs Demo” page on the Portal, with “New Query 1” tab.

4. Click “Not now” to pop-up “Select a table or choose one of the categories on the left to see tables, queries, functions, and query history. Click Run to get query results.”

   

   Icons on the left:

   • Tables
   • Queries
   • Functions
   • Query history

5. Click “Simple mode” (for clicking GUI) at the right to switch to “KQL mode” (for typing commands). For repeatability, make it your default.

   Sample KQL Queries

6. Click “Queries hub” to see all saved queries.

7. Click “Community Git repo” at the top to see the “open repo for Azure Monitor queries, workbooks, alerts and more”:

   https://github.com/microsoft/AzureMonitorCommunity

8. Click through its folders to see:

   • Azure Services
   • Scenarios
   • Solutions

   There is also:
   https://github.com/Azure/Azure-Sentinel/blob/master/Hunting

9. Click “Query explorer” tab at the right.
10. Expand “Saved Queries”
11. Double-click on “Pluralsight” to expand the category.

12. Click to open “m2-table-80-percent”.

    OBSERVE: Clicking completely replaces the existing KQL entry, without needing to clear it first.

    // precede all comments in code.

13. Highlight a query, click blue “Run” or hold down Shift and press Enter.

    CAUTION: “No result” will be returned if there is no data.

    “Perf” is the table name to search in. This table has these fields visible:

    TenantId

    Computer

    ObjectName

    ObjectName

    CounterName

    InstanceName

14. To see more columns, drag the horizonal bar or on the Touchpad move two fingers to the left:

    CounterValue

    CounterPath

    StandardDeviation

    Type

    _ResourceID

    TenantID

    SourceSystem

    MG

15. PROTIP: The full list of columns for this and all other tables is:

    https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/perf

16. Set the Time Frame or set in the script text:

    | where TimeGenerated >= ago(1h)

    PROTIP: Several where statements can be stacked.

    Operators

17. For operators, click on the KQL query text area and press command+Enter:

    • where - filter
    • count
    • extend - creates a calculated column in the result set (before project)
    • join
    • limit
    • lookup
    • order
    • project - select a subset of columns (instead of all columns from table)
    • project-away - remove column
      
      

18. To scroll for more, mouse over the list and slide two-fingers on the Mac Touchpad:

    • sort
    • summarize

    • search

    • distinct - to not repeat values shown
    • make-series
    • mv-apply
    • mv-expand
    • take 5 // return 5 records
    • top 20 // rows
    • top-nested …
      
      

    The Pluralsight video covers search, where, take, count, summarize, extend, project, distinct.

    Examples to limit too much being returned (and wasting time):

    | search kind=case_sensitive "memory"

    | search in (Perf, Event, Alert) "Contoso"

19. Use colon to search text wildcard:

    | search CounterName:"MBytes"

20. Limit column:

    | search * starswith "Bytes"

    | search * endswith "Bytes"

    | search "Free*Bytes" // Any that Begins with free or ends with bytes
    

    | search InstanceName matches regex "[A-Z]:*"
    
    
    

21. Click “m3-demo-scalar” explained by this VIDEO covering Scalar Operators:

    print, now() UTC, ago(-7d), sort by asc, extract, parse, datetime, Timespan Artithmetic, startof…, endof…, between, todynamic, format_datetime, format_timespan, datetime_aart, case, iif, isempty/isnull, split, String Operators, strcat

22. Click “m4-demo-advanced-aggregations” explained by this VIDEO

    • summarize arg_max/arg_min( column ),
    • makelist - flaten a hierarchy to a JSON array, allowing dup. values
    • makeset - flaten a hierarchy to a JSON array, removing dup. values

    For a list of PCs with low disk space:

    Perf
    | where CounterName == "% Free Space"
    |   and CounterValue <= 30
    | summarize Computers = makeset(Computer)
    

    • mvexpand, percentiles, dcount (distinct count, accuracy), dcountif, countif, pivot, top-nested, max/min, sum/sumif, any

Datasets

1. Click “m5-demo-working-with-datasets” explained by this VIDEO

   • let, join (tables), union (combine) with source, kind=outer
   • datatable, prev/next, toscalar, row_cumsum, materialize

Time Series

1. Click “m6-demo-time-series” explained by this VIDEO

Machine Learning

1. Click “m7-data-machine-learning” explained by this VIDEO Machine Learning

   • evaulate basket(threshold) - for the most frequently appearing combination of attributes, given the threshold for minimum frequency (default 0.05 or 5%)
   • autocluster
   • evaulate diffpatterns(EventLevelName, ‘Error’, ‘Warning’) // splits dataset to identify differences as “Error” or “Warning”. Use iif to flag metrics before and after the incident.
   • reduce by Computer with threshold = 0.6 // to determine pattern, with default threshold of 0.1.

Exporting data to CSV

1. Click “m8-exporting-data” explained by this VIDEO

2. To export to CSV file, run query and click the export icon.
3. Select Export to CSV - all columns or display columns.
4. In the pop-up at the bottom, click Save As.
5. Specify the folder and file name.

Run KSL in PowerBI Desktop

1. Copy the Query to your Clipboard.
2. Download and install PowerBI Desktop from https://powerbi.microsoft.com/desktop
3. Open PowerBI
4. In Home group, Get Data - Blank Query
5. Advanced Editor
6. Paste the query (command+V). Done runs the query.
7. Close and apply changes.
8. Create visualizations, etc.

More examples

Events
| where StartTime >= datetime(2018-11-01) and StartTime < datetime(2018-12-01)
| where State == "FLORIDA"  
| count
   

KQL in Data Explorer

1. Pluralsight VIDEO course Microsoft Azure Data Explorer - Advanced KQL by Robert Cain.

2. Download and expand microsoft-azure-data-explorer-advanced-query-capabilities.zip to view folder module-05-performing-diagnostic-and-root-cause-analysis.

3. ??? Load into Azure

   covers functions,

   inline Python & R code (converted to KQL string by highlighting then Ctrl+K & Ctrl+S).

   Analyze data using geospatial analysis,

   Root Cause Analysis Diagnostics

   clustering algorithms, time series analysis.

   Exploring data using Kusto

4. Exploring Data in Microsoft Azure Using Kusto Query Language and Azure Data Explorer, download exercise file microsoft-azure-data-exploring.zip (to your Downloads folder) and unzip. In folder coursfiles, ??

JMESPath

The https://github.com/jmespath/jmespath.terminal Python package offers an interactive environment to work with queries. Data is piped as input, and then queries are written and run in the editor:

pip install jmespath-terminal
az vm list --output json | jpterm
   

From: https://docs.microsoft.com/en-us/cli/azure/query-azure-cli

---

More on Azure

This is one of a series on Azure:

1. DevOps_2.0
2. ci-cd (Continuous Integration and Continuous Delivery)
3. User Stories for DevOps

4. Enterprise Software)

5. Git and GitHub vs File Archival
6. Git Commands and Statuses
7. Git Commit, Tag, Push
8. Git Utilities
9. Data Security GitHub
10. GitHub API

11. TFS vs. GitHub

12. Choices for DevOps Technologies
13. Pulumi Infrastructure as Code (IaC)
14. Java DevOps Workflow

15. Okta for SSO & MFA

16. AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
17. AWS server deployment options

18. AWS Load Balancers

19. Cloud services comparisons (across vendors)
20. Cloud regions (across vendors)

21. AWS Virtual Private Cloud

22. Azure Cloud Onramp (Subscriptions, Portal GUI, CLI)
23. Azure Certifications

24. Azure Cloud

25. Azure Cloud Powershell
26. Bash Windows using Microsoft’s WSL (Windows Subsystem for Linux)

27. Azure KSQL (Kusto Query Language) for Azure Monitor, etc.

28. Azure Networking
29. Azure Storage
30. Azure Compute

31. Azure Monitoring

32. Digital Ocean

33. Cloud Foundry

34. Packer automation to build Vagrant images
35. Terraform multi-cloud provisioning automation

36. Hashicorp Vault and Consul to generate and hold secrets

37. Powershell Ecosystem
38. Powershell on MacOS

39. Powershell Desired System Configuration

40. Jenkins Server Setup
41. Jenkins Plug-ins
42. Jenkins Freestyle jobs

43. Jenkins2 Pipeline jobs using Groovy code in Jenkinsfile

44. Docker (Glossary, Ecosystem, Certification)
45. Make Makefile for Docker
46. Docker Setup and run Bash shell script
47. Bash coding
48. Docker Setup
49. Dockerize apps

50. Docker Registry

51. Maven on MacOSX

52. Ansible
53. Kubernetes Operators

54. OPA (Open Policy Agent) in Rego language

55. MySQL Setup

56. Threat Modeling

57. SonarQube & SonarSource static code scan

58. API Management Microsoft

59. API Management Amazon

60. Scenarios for load
61. Chaos Engineering

---