0
0
Azurecloud~20 mins

Kusto Query Language (KQL) basics in Azure - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
KQL Basics Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
service_behavior
intermediate
2:00remaining
What is the output count of this KQL query?
Given the table Logs with 5 rows, what is the output count of this query?
Logs | where Level == 'Error' | count
Azure
Logs | where Level == 'Error' | count
A0
B3
C5
D1
Attempts:
2 left
💡 Hint
Count returns the number of rows after filtering.
🧠 Conceptual
intermediate
1:30remaining
Which operator filters rows in KQL?
You want to select only rows where the column Status equals 'Success'. Which operator do you use?
Awhere
Bproject
Csummarize
Dextend
Attempts:
2 left
💡 Hint
Filtering means choosing rows based on a condition.
Configuration
advanced
2:30remaining
What is the output of this KQL query with summarize?
Given the table Sales with columns Region and Amount, what does this query output?
Sales | summarize TotalAmount = sum(Amount) by Region
Azure
Sales | summarize TotalAmount = sum(Amount) by Region
AA single value with the sum of all Amounts
BA table with all rows and a new column TotalAmount with sum of all Amounts
CA table with each Region and the sum of Amount for that Region
DAn error because summarize needs a where clause
Attempts:
2 left
💡 Hint
Summarize groups rows by the column after 'by'.
security
advanced
3:00remaining
Which KQL query prevents exposing sensitive data by masking?
You want to show user data but mask the Email column except the domain part. Which query achieves this?
AUsers | extend EmailMasked = substring(Email, 0, 3) | project EmailMasked
BUsers | project Email = '***@domain.com'
CUsers | where Email contains '@' | project Email
DUsers | extend EmailMasked = strcat('***@', extract('@(.+)$', 1, Email)) | project-away Email
Attempts:
2 left
💡 Hint
Masking means hiding part of the data but keeping some visible.
Architecture
expert
3:00remaining
What is the effect of this KQL query on data ingestion time?
Given a large streaming table Events, what does this query do?
Events | where Timestamp > ago(1h) | summarize Count = count() by bin(Timestamp, 5m)
Azure
Events | where Timestamp > ago(1h) | summarize Count = count() by bin(Timestamp, 5m)
AReturns counts of events in 5-minute intervals for the last hour, efficient for recent data
BReturns counts for all data ignoring the time filter, causing slow queries
CReturns a single count of all events in the last hour without grouping
DCauses an error because bin cannot be used with Timestamp
Attempts:
2 left
💡 Hint
The ago(1h) filters recent data, bin groups time.