KQL docs navigation guide
The behavior of KQL may vary when using this language in different services. When you view any KQL documentation article by using our Learn website, the currently chosen service name is visible above the table of contents (TOC) under the Version dropdown. Switch between services using the version dropdown to see the KQL behavior for the selected service.
Change service selection
HTTPS parameter view=
Applies to services
Most of the KQL articles have the words Applies to under their title. On the same line, there follows a handy listing of services with indicators of which services are relevant for this article. For example, a certain function could be applicable to Fabric and Azure Data Explorer, but not Azure Monitor or others. If you do not see the service you are using, most likely the article is not relevant to your service.
Versions
The following table describes the different versions of KQL and the services they are associated with.
| Version | Description |
|---|---|
| Microsoft Fabric | Microsoft Fabric is an end-to-end analytics and data platform designed for enterprises that require a unified solution. It encompasses data movement, processing, ingestion, transformation, real-time event routing, and report building. Within the suite of experiences offered in Microsof Fabric, Real-Time Intelligence is a powerful service that empowers everyone in your organization to extract insights and visualize their data in motion. It offers an end-to-end solution for event-driven scenarios, streaming data, and data logs. The main query environment for KQL in Microsoft Fabric is the KQL queryset. KQL in Microsoft Fabric supports query operators, functions, and management commands. |
| Azure Data Explorer | Azure Data Explorer is a fully managed, high-performance, big data analytics platform that makes it easy to analyze high volumes of data in near real time. There are several query environments and integrations that can be used in Azure Data Explorer, including the web UI. KQL in Azure Data Explorer is the full, native version, which supports all query operators, functions, and management commands. |
| Azure Monitor | Log Analytics is a tool in the Azure portal that’s used to edit and run log queries against data in the Azure Monitor Logs store. You interact with Log Anlytics in a Log Analytics workspace in the Azure portal. KQL in Azure Monitor uses a subset of the overall KQL operators and functions. |
| Microsoft Sentinel | Microsoft Sentinel is a scalable, cloud-native security information and event management (SIEM) that delivers an intelligent and comprehensive solution for SIEM and security orchestration, automation, and response (SOAR). Microsoft Sentinel provides cyberthreat detection, investigation, response, and proactive hunting, with a bird’s-eye view across your enterprise. Microsoft Sentinel is built on top of the Azure Monitor service and it uses Azure Monitor’s Log Analytics workspaces to store all of its data. KQL in Microsoft Sentinel uses a subset of the overall KQL operators and functions. |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.