你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
Kusto Query Language learning resources
Applies to: ✅ Microsoft Fabric ✅ Azure Data Explorer ✅ Azure Monitor ✅ Microsoft Sentinel
Kusto Query Language (KQL) is a powerful tool to explore your data and discover patterns, identify anomalies and outliers, create statistical modeling, and more. Are you new to KQL or want to improve your KQL skills? Take a look at the following learning resources.
For more information on KQL, see KQL overview.
Demo environment
You can practice Kusto Query Language statements in a Log Analytics demo environment in the Azure portal. There's no charge to use this practice environment, but you do need an Azure account to access it.
Like Log Analytics in your production environment, it can be used in many ways:
Choose a table on which to build a query. From the default Tables tab (shown in the red rectangle at the upper left), select a table from the list of tables grouped by topics (shown at the lower left). Expand the topics to see the individual tables, and you can further expand each table to see all its fields (columns). Double-clicking on a table or a field name places it at the point of the cursor in the query window. Type the rest of your query following the table name, as directed below.
Find an existing query to study or modify. Select the Queries tab (shown in the red rectangle at the upper left) to see a list of queries available out-of-the-box. Or, select Queries from the button bar at the top right. Double-click a query to place it in the query window at the point of the cursor.
Like in this demo environment, you can query and filter data in the Microsoft Sentinel Logs page. You can select a table and drill down to see columns. You can modify the default columns shown using the Column chooser, and you can set the default time range for queries. If the time range is explicitly defined in the query, the time filter is unavailable (grayed out).
If you're onboarded to Microsoft's unified security operations platform, you can also query and filter data in the Microsoft Defender Advanced hunting page. For more information, see Advanced hunting with Microsoft Sentinel data in Microsoft Defender portal.
General training
For general information about KQL, see:
- Pluralsight: KQL from scratch
- Kusto Detective Agency
- Tutorial: Learn common operators
- Tutorial: Use aggregation functions
- Tutorial: Join data from multiple tables
- Cloud Academy: Introduction to Kusto Query Language
Azure Data Explorer
For more information about KQL in Azure Data Explorer, see:
Microsoft Fabric
For more information about KQL in Microsoft Fabric, see Get started with Real-Time Analytics in Microsoft Fabric.
Azure Monitor
For more information about KQL in Azure Monitor, see:
Microsoft Sentinel
For more information about KQL in Microsoft Sentinel, see: