Questions tagged [kql]
Kusto Query Language (KQL). Use this tag with any questions or advice of operator, complicated query, performance challenges or missing capabilities. KQL is a read-only request to process data and return results. The request is stated in plain text, using a data-flow model designed to make the syntax easy, author and automate. The query uses schema entities that are organized in a hierarchy similar to SQL's: databases, tables, and columns.
2,114
questions
0
votes
0
answers
15
views
has_all(): failed to cast argument 2 to scalar constant
I have a dynamic list of strings that I want to compare with a value of a column in main_table. I want to make sure all the parts from this list match my column.
let name_parts_table = print names = ...
- 129
0
votes
0
answers
27
views
Dynamic Prev in Kusto (KQL)
I have a table with Dates, Tickers, And Strategies for multiple stocks. I'd like to create a revised strategy column that pulls the most recent strategy per ticker that isn't equal to "Flat"....
- 37
0
votes
1
answer
40
views
Kusto multiple summarize in single query
I have a device_event table and I'm trying out following query :
device_events
| where orgid = 1
| summarize failedEvents = countif(name=='failure'),
successEvents = countif(name=='success')...
- 3,447
0
votes
0
answers
36
views
Adding external delta table in Kusto does not work, table too big?
I would like to add an external table to Azure Data Explorer. Format is delta.
I am using the statement
.create async external table mybigtable
kind=delta
(
h@'abfss://mycontainer@...
- 115
0
votes
1
answer
60
views
Kusto - fetch data from one table where matching records do not exist in another table
I have two tables in azure data explorer db, first table is Users and the second one is Heartbeat. Users table has certain fields including email. Heartbeat table has email and Heartbeat send date/...
- 23
-1
votes
0
answers
28
views
Advice - Advance hunting query joining question
I was wondering if ya'll can give me an advice on how to join two unique table together when it doesn't have similar schema. Basically the query is meant to detect email events allowed clicked which ...
- 13
0
votes
1
answer
24
views
Cache the result of a scalar function during query execution in Azure Data Explorer
Through the use of KQL materialize() one can cache a tabular expression during query execution. This can be good for performance if the tabular expression is used many times in the query and is ...
- 17
0
votes
1
answer
51
views
KQL - extract property value from an array of JSON objects, based on the value of another property
Suppose I have a table with some columns. One of the columns is called Details, has a dynamic type, and is an array of JSON objects similar to this:
[
{
"key": "Name",
...
- 13
0
votes
1
answer
97
views
How to search between dates
I have been trying to find a way to search between dates in Azure Data Explorer but every example or format I find on the internet has led me to more errors. I need to be able to search our Log files ...
0
votes
1
answer
30
views
Defender Advance Query
I was looking for some advice or help on my query. Basically I am trying to create a query to detect possible anomalies against emails attachment from sender rending it into a linechart. For some ...
- 13
0
votes
1
answer
57
views
Calculation of outlier score in series_outlier method
I want to implement the series_outlier method in Python & used the following code
import pandas as pd
import numpy as np
from scipy.stats import norm
# Load the data into a DataFrame
data = {
...
- 29
0
votes
2
answers
46
views
How to 'take' batches of a KQL query using a batch file?
I want to take the lines of text resulting from a KQL query in batches of 50, (50/50/../remainder). How can I do that using a batch file?
I can use take 50 to take the first 50 rows, but how to take ...
1
vote
1
answer
42
views
KQL: How to reference columns within a let query in the next query
I want to be able to reference min_TimeGenerated, max_TimeGenerated, and LocalIP without having to write 3 let queries and project each one. What's the best practice on how to do this?
let TimeRange = ...
- 762
0
votes
1
answer
54
views
How to get Azure Advisor scores from azure resource graph explorer?
How to get Azure Advisor scores from azure resource graph explorer?
In particular I am looking for the Cost, Reliability, Operational Excellence and Performance total scores.
I know I can get the ...
- 247
1
vote
1
answer
77
views
Azure Log Analytics KQL: How to project specific key values from the dynamically sized AuditLog AdditionalDetails field
"How can I find a specific element in a dynamic array in KQL?"
I am attempting to generate a table of privileged role activations over a period.
Amongst others I want to have columns for the ...
