KQL 快速参考KQL quick reference

本文显示了函数的列表及其说明,以帮助你开始使用 Kusto 查询语言。This article shows you a list of functions and their descriptions to help get you started using Kusto Query Language.

运算符/函数Operator/Function 说明Description 语法Syntax
筛选/搜索/条件Filter/Search/Condition 通过筛选或搜索来查找相关数据Find relevant data by filtering or searching
wherewhere 基于特定的谓词进行筛选Filters on a specific predicate T | where Predicate
where contains/haswhere contains/has Contains:查找任何子字符串匹配项Contains: Looks for any substring match
Has:查找特定字词(性能更好)Has: Looks for a specific word (better performance)		 T | where col1 contains/has "[search term]"
searchsearch 在表的所有列中搜索值Searches all columns in the table for the value [TabularSource |] search [kind=CaseSensitivity] [in (TableSources)] SearchPredicate
taketake 返回指定数量的记录。Returns the specified number of records. 用来测试查询Use to test a query
注意_take_ 和 _limit_ 是同义词。Note: _take_ and _limit_ are synonyms.		 T | take NumberOfRows
casecase 添加一个条件语句,类似于其他系统中的 if/then/elseif。Adds a condition statement, similar to if/then/elseif in other systems. case(predicate_1, then_1, predicate_2, then_2, predicate_3, then_3, else)
distinctdistinct 生成一个表,其中包含输入表中所提供列的不同组合Produces a table with the distinct combination of the provided columns of the input table distinct [ColumnName], [ColumnName]
日期/时间Date/Time 使用日期和时间函数的操作Operations that use date and time functions
agoago 返回相对于查询执行时间的时间偏移量。Returns the time offset relative to the time the query executes. 例如,ago(1h) 是当前时钟读数之前的一小时。For example, ago(1h) is one hour before the current clock's reading. ago(a_timespan)
format_datetimeformat_datetime 各种日期格式返回数据。Returns data in various date formats. format_datetime(datetime , format)
binbin 将某个时间范围内的所有值进行舍入并对其进行分组Rounds all values in a timeframe and groups them bin(value,roundTo)
创建/删除列Create/Remove Columns 在表中添加或删除列Add or remove columns in a table
printprint 输出包含一个或多个标量表达式的单个行Outputs a single row with one or more scalar expressions print [ColumnName =] ScalarExpression [',' ...]
projectproject 选择要按指定顺序包括的列Selects the columns to include in the order specified T | project ColumnName [= Expression] [, ...]
Or
T | project [ColumnName | (ColumnName[,]) =] Expression [, ...]
project-awayproject-away 选择要从输出中排除的列Selects the columns to exclude from the output T | project-away ColumnNameOrPattern [, ...]
extendextend 创建一个计算列并将其添加到结果集Creates a calculated column and adds it to the result set T | extend [ColumnName | (ColumnName[, ...]) =] Expression [, ...]
对数据集进行排序和聚合Sort and Aggregate Dataset 通过以有意义的方式对数据进行排序或分组来重构数据Restructure the data by sorting or grouping them in meaningful ways
sortsort 根据一个或多个列按升序或降序为输入表的行排序Sorts the rows of the input table by one or more columns in ascending or descending order T | sort by expression1 [asc|desc], expression2 [asc|desc], …
返回页首top 当使用 by 对数据集进行排序时返回数据集的前 N 行Returns the first N rows of the dataset when the dataset is sorted using by T | top numberOfRows by expression [asc|desc] [nulls first|last]
summarizesummarize 根据 by 分组列对行进行分组,并计算每个组的聚合Groups the rows according to the by group columns, and calculates aggregations over each group T | summarize [[Column =] Aggregation [, ...]] [by [Column =] GroupExpression [, ...]]
countcount 对输入表中的记录进行计数(例如 T)Counts records in the input table (for example, T)
此运算符是 summarize count() 的简写This operator is shorthand for summarize count() 		T | count
joinjoin 通过匹配每个表中指定列的值,合并两个表的行以组成新表。Merges the rows of two tables to form a new table by matching values of the specified column(s) from each table. 支持完整范围的联接类型:flouterinnerinneruniqueleftantileftantisemileftouterleftsemirightantirightantisemirightouterrightsemiSupports a full range of join types: flouter, inner, innerunique, leftanti, leftantisemi, leftouter, leftsemi, rightanti, rightantisemi, rightouter, rightsemi LeftTable | join [JoinParameters] ( RightTable ) on Attributes
unionunion 获取两个或多个表,并返回表中的所有行。Takes two or more tables and returns all their rows [T1] | union [T2], [T3], …
rangerange 生成包含一系列算术值的表Generates a table with an arithmetic series of values range columnName from start to stop step step
设置数据格式Format Data 重构数据以便以有用的方式输出Restructure the data to output in a useful way
lookuplookup 使用在维度表中查找的值扩展事实数据表的列Extends the columns of a fact table with values looked-up in a dimension table T1 | lookup [kind = (leftouter|inner)] ( T2 ) on Attributes
mv-expandmv-expand 将动态数组转换为行(多值扩展)Turns dynamic arrays into rows (multi-value expansion) T | mv-expand Column
parseparse 计算字符串表达式并将其值分析为一个或多个计算列。Evaluates a string expression and parses its value into one or more calculated columns. 用于构造非结构化数据。Use for structuring unstructured data. T | parse [kind=regex [flags=regex_flags] |simple|relaxed] Expression with * (StringConstant ColumnName [: ColumnType]) *...
make-seriesmake-series 沿指定的轴创建指定聚合值的系列Creates series of specified aggregated values along a specified axis T | make-series [MakeSeriesParamters] [Column =] Aggregation [default = DefaultValue] [, ...] on AxisColumn from start to end step step [by [Column =] GroupExpression [, ...]]
letlet 将名称绑定到可引用其绑定值的表达式。Binds a name to expressions that can refer to its bound value. 值可以是 lambda 表达式,用来创建作为查询的一部分的即席函数。Values can be lambda expressions to create ad-hoc functions as part of the query. 使用 let 基于其结果看起来像新表的表创建表达式。Use let to create expressions over tables whose results look like a new table. let Name = ScalarExpression | TabularExpression | FunctionDefinitionExpression
常规General 其他操作和函数Miscellaneous operations and function
invokeinvoke 对作为输入的表运行此函数。Runs the function on the table that it receives as input. T | invoke function([param1, param2])
evaluate pluginNameevaluate pluginName 评估查询语言扩展(插件)Evaluates query language extensions (plugins) [T |] evaluate [ evaluateParameters ] PluginName ( [PluginArg1 [, PluginArg2]... )
可视化Visualization 以图形格式显示数据的操作Operations that display the data in a graphical format
renderrender 将结果呈现为图形输出Renders results as a graphical output T | render Visualization [with (PropertyName = PropertyValue [, ...] )]