Chapter 5: Using the Kusto Query Language (KQL)

The Kusto Query Language (KQL) is a plain-text, read-only language that is used to query data stored in Azure Log Analytics workspaces. Much like SQL, it utilizes a hierarchy of entities that starts with databases, then tables, and finally columns. In this chapter, we will only concern ourselves with the table and column levels.

In this chapter, you will learn about a few of the many KQL commands that you can use to query your logs.

In this chapter, you will learn the following:

How to test your KQL queries
How to query a table
How to limit how many rows are returned
How to limit how many columns are returned
How to perform a query across multiple tables
How to graphically view the results

Get Microsoft Sentinel in Action - Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Microsoft Sentinel in Action - Second Edition by Richard Diver, Gary Bushey, John Perkins

Chapter 5: Using the Kusto Query Language (KQL)

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly