Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: ✅ Microsoft Fabric ✅ Azure Data Explorer ✅ Azure Monitor ✅ Microsoft Sentinel
Use Kusto Query Language (KQL) to explore your data, discover patterns, identify anomalies and outliers, build statistical models, and more. New to KQL or want to improve your skills? Use the following learning resources.
For more information, see KQL overview.
Demo environment
Practice Kusto Query Language statements in the Log Analytics demo environment in the Azure portal. It's free, but you need an Azure account.
Like your production Log Analytics workspace, the demo environment lets you:
Choose a table on which to build a query. From the Tables tab, select a table from the list grouped by topic. Expand a topic to see its tables. Expand a table to see its fields (columns). Double-click a table or field name to insert it at the cursor in the query window. Type the rest of the query after the table name.
Find an existing query to study or modify. Select the Queries tab to see the list of queries available by default. Alternatively, select Queries from the button bar. Double-click a query to insert it at the cursor in the query window.
As in the demo environment, query and filter data on the Microsoft Sentinel Logs page. Select a table and drill down to see its columns. Use the Column chooser to modify the default columns, and set the default time range for queries. If the time range is explicitly defined in the query, the time filter is unavailable (grayed out).
If Microsoft Sentinel is onboarded to the Defender portal, query and filter data on the Microsoft Defender Advanced hunting page. For more information, see Advanced hunting with Microsoft Sentinel data in Microsoft Defender portal.
KQL training
Learn more about KQL:
- Pluralsight: KQL from scratch
- Kusto Detective Agency
- Tutorial: Learn common operators
- Tutorial: Use aggregation functions
- Tutorial: Join data from multiple tables
- Cloud Academy: Introduction to Kusto Query Language
Azure Data Explorer
For more information about KQL in Azure Data Explorer, see:
Microsoft Fabric
For more information about KQL in Microsoft Fabric, see Get started with Real-Time Analytics in Microsoft Fabric.
Azure Monitor
For more information about KQL in Azure Monitor, see:
Microsoft Sentinel
For more information about KQL in Microsoft Sentinel, see: