0
0
Azurecloud~10 mins

Kusto Query Language (KQL) basics in Azure - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Kusto Query Language (KQL) basics
Start Query
Read Table
Apply Filters
Project Columns
Sort or Aggregate
Return Results
KQL queries start by reading a table, then filter rows, select columns, optionally sort or aggregate, and finally return results.
Execution Sample
Azure
StormEvents
| where State == "TX"
| project StartTime, EventType
| sort by StartTime desc
This query reads the StormEvents table, filters for Texas events, selects StartTime and EventType columns, and sorts results by StartTime descending.
Process Table
StepActionInput RowsOutput RowsDetails
1Read Table StormEventsAll rowsAll rowsLoad all data from StormEvents
2Filter where State == "TX"All rowsFiltered rowsKeep only rows where State is TX
3Project StartTime, EventTypeFiltered rowsSame rowsSelect only StartTime and EventType columns
4Sort by StartTime descProjected rowsSame rowsOrder rows by StartTime newest first
5Return ResultsSorted rowsSorted rowsOutput final result set
💡 Query completes after returning sorted filtered and projected rows.
Status Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4Final
RowsN/AAll rowsFiltered rows (State == TX)Projected rows (StartTime, EventType only)Sorted rows by StartTime descSorted filtered projected rows
Key Moments - 3 Insights
Why does the number of rows decrease after the filter step?
Because the filter keeps only rows where State equals TX, removing all others as shown in step 2 of the execution table.
Does projecting columns change the number of rows?
No, projecting only selects columns but keeps the same number of rows, as seen in step 3 where output rows remain the same.
What does sorting do to the data?
Sorting changes the order of rows but does not add or remove rows, as shown in step 4 where rows are ordered by StartTime descending.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, after which step are only Texas events kept?
AStep 1
BStep 3
CStep 2
DStep 4
💡 Hint
Check the 'Action' and 'Details' columns in the execution table for step 2.
At which step does the query reduce columns to only StartTime and EventType?
AStep 3
BStep 2
CStep 4
DStep 5
💡 Hint
Look at the 'Project' action in the execution table.
If we remove the filter step, what happens to the number of rows after step 2?
ARows decrease to only Texas events
BRows stay the same as all rows are kept
CRows increase
DRows become zero
💡 Hint
Filtering is what reduces rows; without it, all rows remain.
Concept Snapshot
Kusto Query Language (KQL) basics:
- Start with a table name
- Use | to chain commands
- 'where' filters rows
- 'project' selects columns
- 'sort by' orders rows
- Results show filtered, selected, sorted data
Full Transcript
This visual execution traces a simple Kusto Query Language query. It starts by reading all rows from the StormEvents table. Then it filters rows to keep only those where the State is TX. Next, it projects only the StartTime and EventType columns, keeping the same number of rows. After that, it sorts the rows by StartTime in descending order. Finally, it returns the sorted, filtered, and projected results. Key moments include understanding that filtering reduces rows, projecting changes columns but not rows, and sorting changes order but not row count.