Syntax and Query Structure

Some important rules:

You can put as many spaces you want btw the pipe and the command

cluster('help').database('SecurityLogs').Email
|     where subject == "jasade"

You can put many pipe commands in one line

cluster('help').database('SecurityLogs').Email
| where subject == "jasade" | sort by event_time asc

Double slash to comment '//'

//this is a comment
cluster('help').database('SecurityLogs').Email
| where subject == "jasade" | sort by event_time asc

KQL is mostly case-sensitive
No quotes around field names

Comparison operators

== equals to

!= not equal to

Table
| where FIrstName != "peter" //all people not named peter are returned

=~ not case sensitive

Table
| where FIrstName =~ "peter" //all uppercase, lowercase, combined is returned

Query order

How you filter your data matters!

If you filter first for the random 10 rows with 'take 10' and after that you search for all the users named 'peter' you wont get the same result as if you first searched for the name peter and than took random 10 rows.

Last updated 27 days ago

hashtagSome important rules:

hashtagComparison operators

hashtagQuery order

Some important rules:

Comparison operators

Query order