kql

Solid

KQL language expertise for writing correct, efficient Kusto Query Language queries. Covers syntax gotchas, join patterns, dynamic types, datetime pitfalls, regex patterns, serialization, memory management, result-size discipline, and advanced functions (geo, vector, graph). USE THIS SKILL whenever writing, debugging, or reviewing KQL queries — even simple ones — because the gotchas section prevents the most common errors that waste tool calls and cause expensive retry cascades. Trigger on: KQL, Kusto, ADX, Azure Data Explorer, Fabric Real-Time Intelligence, EventHouse, Log Analytics, log analysis, data exploration, time series, anomaly detection, summarize, where clause, join, extend, project, let statement, parse operator, extract function, any mention of pipe-forward query syntax.

Code & Development 2,541 stars 295 forks Updated yesterday MIT

Install

View on GitHub

Quality Score: 93/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# KQL Mastery ## 1. KQL Basics Kusto Query Language (KQL) is a pipe-forward query language for exploring data. It is the native query language for Azure Data Explorer (ADX), Microsoft Fabric Real-Time Intelligence (EventHouse), Azure Monitor Log Analytics, Microsoft Sentinel, and other Microsoft data services. ### Pipe-forward syntax KQL queries are a chain of operators separated by `|`. Data flows left to right: ```kql StormEvents // start with a table | where State == "TEXAS" // filter rows | summarize count() by EventType // aggregate | top 5 by count_ desc // limit results ``` ### Query vs management commands KQL has two execution planes: | Plane | Starts with | Examples | |-------|-------------|----------| | **Query** | Table name, `let`, `print`, `datatable` | `StormEvents \| where State == "TEXAS"` | | **Management** | `.show`, `.create`, `.set`, `.drop`, `.alter` | `.show tables`, `.show table T schema` | Management commands cannot be piped into query operators: ```kql // ❌ WRONG — .show is management, | project is query .show tables | project TableName // ✅ RIGHT — run management and query separately // Step 1: .show tables // Step 2: MyTable | take 5 ``` When in doubt: if the first token starts with `.`, it's a management command. ## 2. Dynamic Type Discipline KQL's `dynamic` type is flexible but strict in certain contexts. A common mistake is using a dynamic column in `summarize by`, `order by`, or...

Details

Author
microsoft
Repository
microsoft/skills
Created
4 months ago
Last Updated
yesterday
Language
TypeScript
License
MIT

Integrates with

Azure · Cloud Model Context Protocol · AI

Similar Skills

Semantically similar based on skill content — not just same category

DevOps & Infrastructure Listed

azure-kusto

Query and analyze data in Azure Data Explorer (Kusto/ADX) using KQL for log analytics, telemetry, and time series analysis. USE FOR: KQL queries, Kusto database queries, Azure Data Explorer, ADX clusters, log analytics, time series data, IoT telemetry, anomaly detection DO NOT USE FOR: SQL databases (use azure-postgres), NoSQL queries (use azure-storage), Elasticsearch, AWS analytics tools

353 Updated today
aiskillstore
DevOps & Infrastructure Solid

azure-kusto

Query and analyze data in Azure Data Explorer (Kusto/ADX) using KQL for log analytics, telemetry, and time series analysis. WHEN: KQL queries, Kusto database queries, Azure Data Explorer, ADX clusters, log analytics, time series data, IoT telemetry, anomaly detection.

607 Updated 2 months ago
microsoft
DevOps & Infrastructure Solid

azure-kusto

Query and analyze data in Azure Data Explorer (Kusto/ADX) using KQL for log analytics, telemetry, and time series analysis. WHEN: KQL queries, Kusto database queries, Azure Data Explorer, ADX clusters, log analytics, time series data, IoT telemetry, anomaly detection.

1,998 Updated 2 months ago
microsoft