Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: ✅ Azure Data Explorer ✅ Azure Monitor ✅ Microsoft Sentinel
KQL behavior can vary across services. On Microsoft Learn, the selected service name appears above the table of contents (TOC) under the Version dropdown. To view behavior for another service, use the Version dropdown to switch services.
Change service selection
To view documentation for another KQL version, select the expander arrow at the end of the current version moniker, then select a service. The page updates to show any differences for that version. Some services have no differences, so the content might not change.
HTTPS view= parameter
Articles at https://learn.microsoft.com/kusto/ include a ?view= parameter. The parameter value is the versioning moniker code.
The moniker code in the HTTPS address always matches the moniker name displayed in the versioning control.
Applies to services
Most KQL articles include Applies to under the title. The line lists services and shows which ones the article applies to. For example, a function might apply to Azure Data Explorer, but not to Azure Monitor. If you don't see your service, the article likely doesn't apply.
Versions
This table describes KQL versions and their associated services.
| Version | Description |
|---|---|
| Azure Data Explorer | Azure Data Explorer is a fully managed, high-performance analytics platform for near real-time analysis of large data volumes. Use several query environments and integrations, including the web UI. KQL in Azure Data Explorer is the full native version. It supports all query operators, functions, and management commands. |
| Azure Monitor | Log Analytics is a tool in the Azure portal you use to edit and run log queries against data in the Azure Monitor Logs store. Use Log Analytics in a Log Analytics workspace in the Azure portal. KQL in Azure Monitor uses a subset of KQL operators and functions. |
| Microsoft Sentinel | Microsoft Sentinel is a scalable, cloud-native security information and event management (SIEM) platform with security orchestration, automation, and response (SOAR). It provides threat detection, investigation, response, and proactive hunting across your enterprise. It uses Azure Monitor Log Analytics workspaces to store its data. KQL in Microsoft Sentinel uses a subset of KQL operators and functions. |