qnd:azure:kusto_query_language_kql

This is an old revision of the document!

Kusto Query Language (KQL)

Queries

Select records where a column does not contain any of the listed substrings 

SecurityEvent
| where not(Computer has_any ("mgmt", "imagine"))

Alternate form that works for a single substring match 

SecurityEvent
| where not(Computer contains "mgmt")
SecurityEvent
| where Computer !contains "mgmt"

summarize

Get a count of records based on summarizing a specified column 

Event
| where not(Computer has_any ("mgmt", "imagine"))
| summarize count() by Computer

Get unique values from the specified column 

SecurityEvent
| distinct Computer
  • qnd/azure/kusto_query_language_kql.1633458352.txt.gz
  • Last modified: 2021/10/05 18:25
  • by mgupton