Interrogate logs using basic Kusto Query Language (KQL) queries

Kusto Query Language (KQL) is a read-only language used for querying, analyzing, and visualizing data from Microsoft services such as Azure Monitor and Azure Data Explorer. It’s an essential tool for managing your Azure environment, providing powerful capabilities beyond the traditional use of log files. To achieve proficiency in the AZ-400 Designing and Implementing Microsoft DevOps Solutions certification exams, understanding how to interrogate logs using basic Kusto Query Language (KQL) queries is vital.

Basics of Kusto Query Language (KQL)

Kusto Query Language (KQL) uses readable keywords (such as ‘and’, ‘or’, ‘where’) to allow for intuitive querying. This makes KQL less complex compared to other data-query languages such as SQL. It’s also designed for time-series data, making it an ideal solution for analyzing logs from applications and cloud services.

A simple KQL query can be written as follows:

Logs
| where TimeGenerated > ago(1h)
| where SeverityLevel == 3

This will return log entries from the last hour with a severity level of 3.

Constructing Basic KQL Queries

All KQL queries begin with a data source, followed by multiple piped (“|”) command expressions that transform the data. Here are some of the basic commands:

• ‘where’ – applies a filter to the dataset
• ‘project’ – selects specified columns from the dataset
• ‘summarize’ – groups rows that share the same values into single, aggregated records
• ‘order by’ – sorts the records based on specific columns

To apply a filter, you use the ‘where’ command:

Logs
| where TimeGenerated > ago(24h)

This query filters the log data to show only the entries generated in the last 24 hours.

In the following query, the ‘project’ command selects only the specified columns:

Logs
| project TimeGenerated, Message

This will return just the ‘TimeGenerated’ and ‘Message’ columns from the logs.

You can use the ‘summarize’ command to group and aggregate data:

Logs
| summarize count() by SeverityLevel

The query returns a count of logs for each different ‘SeverityLevel’.

Finally, the ‘order by’ command sorts the records:

Logs
| order by TimeGenerated desc

This query returns the logs ordered by ‘TimeGenerated’ in descending order.

Using KQL to Understand Your Logs

By using KQL, you can dive deeper into your logs, extract meaningful insights, and improve your monitoring efforts. More complex KQL queries can gather data about specific application behaviors and alert you about potential issues you may need to address.

In conclusion, understanding Kusto Query Language (KQL) is crucial in order to maximize your utilization of Azure’s logging capabilities, helping you improve the management and performance of your applications. Include practice with KQL queries in your preparation for the AZ-400 exam to ensure you’re well-equipped to design and implement effective DevOps solutions using Microsoft Azure.

Remember, practice is key when it comes to mastering KQL. To enhance your skills, try writing queries using different command combinations and test them against your logs. With enough practice, you’ll acquire the proficiency in utilizing KQL to handle and interrogate logs effectively – a vital asset in achieving success in your AZ-400 exam, and your broader DevOps career.

Practice Test

Kusto Query Language (KQL) is a read-only language.

• True
• False

Answer: True

Explanation: KQL is designed for querying large amounts of data in Azure Data Explorer.

Which of the following parts are mandatory in a basic KQL query?

• Tabular_expression
• Datasource_name
• Filter_expresion
• Projection_expression

Answer: Tabular_expression

Explanation: A KQL query consists of the following basic parts: [Tabular expression | let statements ;]*.

What does the summarize operator do in KQL?

• It sorts the data.
• It groups the data.
• It filters the data.
• It splits the query.

Answer: It groups the data.

Explanation: Summarize operator in Kusto Query Language groups the input dataset into sub-tables (or groups).

The “let” statement in KQL allows you to store and retrieve multiple values.

• True
• False

Answer: True

Explanation: The ‘let’ statement allows you to store and reuse the results as variables within the scope of a single query.

Which operator can be used to combine rows from two or more tables in KQL?

• Join
• Union
• Project
• Extend

Answer: Union

Explanation: The union operator is used to pipe together the rows from multiple tables or queries into a single tabular result.

It is possible to query across databases with KQL.

• True
• False

Answer: True

Explanation: Cross-database queries are supported in Kusto Query Language by using the database(‘databaseName’).tableName syntax.

Kusto Query Language (KQL) does not support conditional statements.

• True
• False

Answer: False

Explanation: KQL supports conditional logic such as if-then-else with the evaluate operator.

The “extend” operator in KQL is synonymous with which SQL operator?

• SELECT
• AS
• WHERE
• ADD COLUMN

Answer: ADD COLUMN

Explanation: The ‘extend’ operator in Kusto Query Language creates calculated columns.

In KQL, the statement “T | project column1 = new_name” renames a column.

• True
• False

Answer: True

Explanation: The project operator in KQL renames, removes, keeps columns from the input, or creates new ones.

KQL and SQL have the exact same syntax.

• True
• False

Answer: False

Explanation: Even though they have similarities, KQL and SQL are two different query languages with unique nuances and syntax.

The timeframe of the data that is returned in Kusto Query Language can be controlled using which of the following operators?

• Extend
• Filter
• Range
• Startofmonth

Answer: Filter

Explanation: The filter operator in KQL is used to define a time range and filter out data outside of that range.

The “count” command in KQL helps to compute the number of records in each group.

• True
• False

Answer: True

Explanation: The “count” operator in the Kusto Query Language returns the number of records in each group.

The “Top” command in Kusto Query Language will show you the lowest values of a column.

• True
• False

Answer: False

Explanation: The “Top” command is used to display the top values in a column, not the lowest.

The Kusto Query Language (KQL) is case sensitive.

• True
• False

Answer: True

Explanation: Syntax, function names, operator names, and identifiers are all case-sensitive in KQL.

The “takes” operator is used in Kusto Query Language to limit the number of records returned by a query.

• True
• False

Answer: False

Explanation: The “take” operator is actually used in KQL to limit the quantity of records returned by a search or query.

Interview Questions

What is Kusto Query Language (KQL)?

KQL is a read-only request to process data and return results. It’s the language for querying Azure Monitor logs and is used extensively in both Log Analytics and Application Insights.

What is the syntax of the KQL query that searches the entire text of a record for a value?

The syntax for this could be “| search “Value” “. This query would search the entire text of a record and return the records that contain the specified value.

What is the standard format to filter items in Kusto Query Language?

The standard format is “Table | where column == “value””. This format can be used to filter items in a specific table where a certain column matches the specified value.

In KQL, how do you sort the results?

You can use the “sort” operator to sort the results. For example, “Table | sort by Column Desc” will sort the results in decreasing order by the column specified.

What function do you use in KQL to create a time range?

In KQL, the function “ago()” is used to create a time range. For example, “Table | where Timestamp > ago(7d)” will return the records from the “Table” where the “Timestamp” is within the last seven days.

How would you write a KQL command to return all records where a specific field contains a specific value?

The command should look something like this: “Table | where Field contains “value””. This will return all records where the “Field” contains the “value”.

What is the key function of the “summarize” operator in KQL?

The “summarize” operator in KQL is used to group rows that have the same value in specified columns into summary rows, like “group by” in SQL.

How can you concatenate strings in KQL?

You can concatenate strings in KQL by using the strcat() function. For example, strcat(‘hello’, ‘ ‘, ‘world’) will return ‘hello world’.

What is the use of the “project” operator in KQL?

The “project” operator is used to select which columns to include, rename or drop, and to introduce new computed columns.

What function would you use in KQL to calculate the average of a set of numbers?

The avg() function can be used to calculate the average of a set of numbers in KQL.

How do we limit the number of records returned in KQL?

The ‘take’ command in KQL can be used to limit the number of records. For example ‘take 100’ will limit the number of results to 100.

Can KQL queries be case-sensitive?

By default, KQL is case-insensitive. However, if case-sensitive behavior is desired, the operators: “has_cs”, “contains_cs”, “startswith_cs”, “endswith_cs”, “==” and “!=” can be used.

What is the functionality of union operator in KQL?

The union operator is used to combine rows from two or more tables based upon a related column between them. It appends the result of two or more tabular expression into a single result set.

Can we use regular expressions in KQL queries?

Yes, regular expressions can be used in Kusto Query Language. The ‘matches regex’ operator can be used for this purpose.

How can you calculate the sum of a specific field using KQL?

The “summarize” command together with the “sum()” function can be used to calculate the sum of a specific field. For example, “Table | summarize sum(Field)” would return the sum of the values in “Field”.