Log Analytics Workspace - KQL / KUSTO - Quick Start Guide (Azure)

This article has not been completed yet. However, it may already contain helpful Information and therefore it has been published at this stage.

Basic string operators:

  • ==
  • !=
  • has
  • contains
  • startswith
  • endswith
  • matches regex
  • has_any
# How many log entries are in the Log Analytic Workspace?
search * | summarize count()
How many tables are in the Log Analytic Workspace?
search *| summarize dcount($table)
# Show all tables by name and sort them by count in descending order.
search *| summarize count() by $table | sort by count_ desc
# Look for all tables that contains a certain string
search * | where * contains "iot2" | distinct $table
# Look for all entries in a specific table (eset_CL), where a specific column (hostname_s) has entries, that starts with "iot"
eset_CL| where hostname_s startswith "iot"
# Look for all entries in a specific table (eset_CL), in a specific columns (hostname_s, occured_s) and sort them using a specific coloumn (occured_s) 
eset_CL| project hostname_s, occured_s  | sort by occured_s

Sources:

Basic searching and string operators | Kusto King
In this blog post, we will learn which string operator to use and when to use. We will also learn some basic queries to discover the amount of data in a Log Analytics Workspace. The basic string operators that we can use are: ==hascontainsstartswithendswithmatches regexhas_any In the SQL to KQL…