KQL: Overview

Dated May 24, 2025; last modified on Sat, 24 May 2025

A Kusto query is a read-only request that processes data that is organized into a hierarchy of databases, tables, and columns, similar to SQL.

Query statements are separated by a ;, and only affect the query at hand. There are 3 kinds of user query statements: tabular expression statements, let statements, and set statements.

The most common kind is the tabular expression statement where the input and the output consist of tables. Tabular statements contain zero or more operators that are sequenced by a | (pipe). Each time the data passes through another operator, it’s filtered, rearranged, or summarized. Because the piping is sequential, the query operator order can affect both results and performance.

Kusto supports management commands that can modify data or metadata, e.g., .create table Logs (Level: string, Text: string). Management commands always start with the dot (.) character (which can’t start a query). Not all commands modify data/metadata, e.g., .show tables returns a list of all the tables in the current database.

contains the Storm_Events database with two tables. The PopulationData table has 2 columns: Population (long), and State (string). The StormEvents table has 22 columns:

  • StartTime (datetime) and EndTime (datetime)
  • BeginLat (real), BeginLon (real), EndLat (real), EndLon (real), BeginLocation (string), EndLocation (string), State (string)
  • DamageCrops (int), DamageProperty (int), DeathsDirect (int), DeathsIndirect (int), InjuriesDirect (int), InjuriesIndirect (int).
  • EpisodeId (int), EpisodeNarrative (string)
  • EventId (int), EventNarrative (string), EventType (string)
  • Source (string)
  • StormSummary (dynamic)

is referenced a lot in examples.

  1. Kusto Query Language (KQL) overview - Kusto | Microsoft Learn. learn.microsoft.com . Feb 23, 2025. Accessed May 24, 2025.
  2. help.Samples | Azure Data Explorer. dataexplorer.azure.com . Accessed May 24, 2025.