Software Engineer

2 minute read

3 min read 604 words

1. Introduction to Kusto Query Language (KQL)

Kusto Query Language (KQL) is a powerful, read-only tool used to explore data and discover patterns in Azure Application Insights, Log Analytics, and Azure Data Explorer. If you are familiar with SQL, you will find KQL intuitive, yet it is often more concise and easier to read for log analysis.

A KQL query follows a structured flow: you start with a source table, and then apply a series of operators separated by the pipe character (|).

2. The Core Concept: The Pipe Operator (|)

The pipe operator is the heart of KQL. It takes the output from the left side and passes it as the input to the right side. This makes queries very readable as they flow from top to bottom.

Basic Syntax:

TableName
| Operator1
| Operator2
| Operator3

3. Essential KQL Operators

To build professional queries, you need to master these five core operators:

where: Filtering Data

Used to filter the table to the subset of rows that satisfy a condition.

requests
| where success == false
| where timestamp > ago(24h)

project: Selecting Columns

Used to select the specific columns you want to include in the result, and optionally rename them.

exceptions
| project timestamp, problemId, outerMessage, operation_Id

summarize: Aggregating Results

Used to group data and perform calculations like count, avg, min, max, or sum.

requests
| summarize RequestCount = count() by bin(timestamp, 1h), resultCode

take or limit: Sampling Data

Used to return up to the specified number of rows. Useful for checking the schema or seeing examples.

traces
| take 10

order by / sort by: Sorting

Used to sort the results by one or more columns.

requests
| order by timestamp desc

4. Practical Application Insights Examples

Here are common scenarios you will encounter as a developer or DevOps engineer:

Scenario A: Finding Recent Exceptions

To see the most recent errors and their details:

exceptions
| where timestamp > ago(12h)
| project timestamp, type, outerMessage, client_City
| order by timestamp desc

Scenario B: Performance Analysis (P95 Response Time)

To understand the 95th percentile of your request duration (useful for identifying slow requests):

requests
| where success == true
| summarize p95 = percentile(duration, 95) by name
| order by p95 desc

You can use the render operator to create charts directly in the Azure Portal.

requests
| summarize count() by bin(timestamp, 30m)
| render timechart

5. Best Practices for Professional Queries

  • Filter Early: Always place your where clauses (especially time filters) as early as possible to improve performance.
  • Use bin(): Use the bin() function to group timestamps into readable intervals (e.g., 1h, 5m).
  • Case Sensitivity: KQL is generally case-sensitive for string comparisons. Use == for exact case-sensitive matches and =~ for case-insensitive matches.
  • Identify Transactions: Use operation_Id to correlate logs across different tables (e.g., matching a request to its exceptions and traces).

For further learning and deep dives into KQL, refer to these official resources:

Leave a comment

You may also enjoy

LeetCode: Reorder List in C#

4 minute read

Learn how to reorder a singly-linked list in-place using the slow/fast pointer technique, list reversal, and alternate merging in C#.

Median of Two Sorted Arrays in C#

5 minute read

Learn how to find the median of two sorted arrays using both an intuitive merging approach and the optimal O(log(N+M)) binary search approach in C#.