KQL – Page 8 – Curated SQL

Solving a Bank Robbery with KQL

Published 2023-02-08 by Kevin Feasel

Paul Hernandez gets Inspector Cluseau’d:

The Kusto Detective Agency was created last year (2022) to let people learn KQL solving funny puzzles at the same time. For me it has been a kind of scape room game, where you can exercise your solving problem capabilities and learn ADX at the same time. If you want to participate just follow this link

Click through for the scenario which got Paul.

Comments closed

Summations in KQL

Published 2023-02-07 by Kevin Feasel

Robert Cain continues a series on KQL:

In my previous post, Fun With KQL – Max, MaxIf, Min and MinIf, we looked at the aggregation functions max and min. In this post we’ll talk about another aggregation function, sum. We’ll also look at a variant of it, sumif.

Check out the details and examples in Robert’s post.

Comments closed

Max and Min Functions in KQL

Published 2023-01-31 by Kevin Feasel

Robert Cain goes extreme:

The max and min aggregation functions are common to almost every language, and the Kusto Query Language is no exception. As you would think, when you pipe in a dataset max returns the maximum value for the column name you pass in. Likewise min returns the lowest value.

In addition, there are variants for each, maxif and minif. We’ll see examples for all of these in this post.

Click through for a few functions you can call via the summarize operator.

Comments closed

Top-nested in KQL

Published 2023-01-24 by Kevin Feasel

Robert Cain continues a series on KQL:

Back in June of 2022 I covered the top operator in my Fun With KQL – Top post. We showed how to create your own top 10 lists, for example what were the top 5 computers ranked by free disk space.

What if you needed your top results in a nested hierarchy? For example, you wanted to know which three objects in the Perf table had the most entries? But, for each one of those, what were the three counters with the most entires?

That’s where the top-nested operator comes in. It allows you to create top lists in nested, also called hierarchical levels.

Click through for the normal slew of examples on how to use this operator.

Comments closed

Plotly Visualizations in Azure Data Explorer

Published 2023-01-18 by Kevin Feasel

Adi Eldar improves ADX visualization:

Azure Data Explorer (ADX) supports various types of data visualizations including time, bar and scatter charts, maps, funnels and many more. The chosen visualization can be specified as part of the KQL query using ‘render’ operator, or interactively selected when building ADX dashboards. Today we extend the set of visualizations, supporting advanced interactive visualizations by Plotly graphics library. Plotly supports ~80 chart types including basic charts, scientific, statistical, financial, maps, 3D, animations and more. There are two methods for creating Plotly visuals:

Read on to learn more about those two methods.

Comments closed

Pivoting with KQL

Published 2023-01-17 by Kevin Feasel

Robert Cain continues a series on KQL:

Business Analysis is becoming mainstream in today’s corporate world. A big part of that analysis is done with pivot tables. Think of an Excel spreadsheet where data is organized into rows and columns.

The pivot plugin will take one data column from your query, and flip it to become new columns in the output data grid. The other column will become the rows, and an aggregation function will be at the cross section of the rows and columns, supplying the main data. You’ll get a better understanding through the demos in this post.

You may be wondering “plugin? What’s a plugin?”

I did, in fact, wonder. And Robert explains what a plugin is, as well as examples of how to pivot.

Comments closed

KQL Contains and In

Published 2023-01-11 by Kevin Feasel

Robert Cain continues a series on KQL:

There are versions of these which are case sensitive. We’ll see a few here, focusing on the contains keyword. In addition there are not versions, which will also be demonstrated.

There is another operator we’ll discuss here, in. It is a bit of an odd duck, in that it is case sensitive by default. We’ll see it and its variants later in this post.

Case sensitivity in search is a curse.

Comments closed

Learning from Command Timeouts in Azure Log Analytics

Published 2022-12-23 by Kevin Feasel

Jose Manuel Jurado Diaz tracks timeouts:

Today, I worked on a service request when our customer needs to know several details about the command timeout captured (attention event) and sent to Log Analytics from Azure Diagnostic settings. In this article I would like to share my findings.

Read on to see how you can use Log Analytics and a little bit of KQL to track timeouts.

Comments closed

CountIf in KQL

Published 2022-12-20 by Kevin Feasel

Robert Cain continues a series on KQL:

In my previous post, Fun With KQL – DCountIf, we saw how you could apply a filter to the data directly within the dcountif function.

You may have been thinking gosh, it sure would be nice if we could do that within the count function! (Note, you can read more about count in my Fun With KQL – Count blog post.)

Well fear not intrepid Kusto coder, there is just such a function to fit your needs: countif.

As always, Robert has examples for us, so check those out.

Comments closed

DCountIf in KQL

Published 2022-12-13 by Kevin Feasel

Robert Cain continues a series on KQL:

In the previous post of this series, Fun With KQL – DCount, we saw how to use the dcount function to get an estimated count of rows for an incoming dataset.

It’s common though to want to filter out certain rows from the count. While you could do the filtering before getting to the dcount, there’s an alternative function that allows you to do the filtering right within it: dcountif.

Read on to learn more about how this function works, as well as several useful examples.

Comments closed

Category: KQL