KQL Reference

Kusto Query Language Cheat Sheet

Master the essential Kusto Query Language (KQL) operators used in Azure Log Analytics, Sentinel, and Application Insights. Copy-paste examples included for each operator.

Filtering

Filter rows based on conditions and patterns

where

Filter rows matching a condition

Example
SecurityEvent
| where EventID == 4625
| where TimeGenerated > ago(24h)

has_any

Check if column contains any value from a set

Example
ContainerLogV2
| where LogMessage has_any ("error", "failed", "exception")

contains

Case-sensitive substring match

Example
ContainerLogV2
| where LogMessage contains "OutOfMemory"

startswith

Match strings starting with a prefix

Example
requests
| where name startswith "/api/"

Time Functions

Work with timestamps and time intervals

ago()

Time delta from now (e.g., 1h, 7d, 30m)

Example
ContainerLogV2
| where TimeGenerated > ago(1h)
| summarize count() by PodName

now()

Current time stamp

Example
SecurityEvent
| where TimeGenerated between (ago(24h) .. now())

bin()

Round timestamps to a bucket size

Example
Perf
| where TimeGenerated > ago(7d)
| summarize AvgCpu = avg(CounterValue) by bin(TimeGenerated, 1h), Computer

Aggregation

Combine and summarize data across rows

summarize

Group rows and apply aggregate functions

Example
requests
| summarize count(), avg(duration), max(duration) by client_CountryOrRegion

count()

Count rows per group

Example
SecurityEvent
| where EventID == 4625
| summarize FailedLogons = count() by Account, Computer

avg(), min(), max()

Numeric aggregations across column values

Example
Perf
| where ObjectName == "Processor"
| summarize AvgCpu = avg(CounterValue), MaxCpu = max(CounterValue) by Computer

Shaping Output

Select, create, and rename columns

project

Select specific columns; creates new data

Example
requests
| project TimeGenerated, name, duration, client_IP
| where duration > 5000

extend

Add computed or derived columns

Example
requests
| extend DurationInSeconds = duration / 1000
| extend IsSlowRequest = DurationInSeconds > 5

project-away

Exclude specific columns from output

Example
requests
| project-away customDimensions, customMeasurements

rename

Rename a column

Example
requests
| rename ResponseTime = duration

Joins & Unions

Combine data from multiple tables or sets

join

Combine rows from two tables on a key

Example
requests
| where name == "/api/users"
| join (exceptions) on operation_Id
| project TimeGenerated, name, outerMessage

union

Combine result sets from multiple queries

Example
SecurityEvent
| where EventID == 4625
| union (SigninLogs | where ResultType != "0")
| summarize count() by bin(TimeGenerated, 1h)

Ordering & Limiting

Sort and restrict result sets

order by

Sort rows ascending or descending

Example
requests
| summarize count() by name
| order by count_ desc

top

Return the first N rows after sorting

Example
requests
| order by duration desc
| top 10 by duration

limit

Return the first N rows

Example
requests
| limit 100

Ready to write KQL faster?

Join the waitlist for KQL Remix private beta and transform your intent into production-ready queries instantly.

Join Waitlist →

Explore how KQL applies to your role:

Threat HuntingError AnalysisInfrastructure