KQL 快速参考KQL quick reference
本文显示了函数的列表及其说明,以帮助你开始使用 Kusto 查询语言。This article shows you a list of functions and their descriptions to help get you started using Kusto Query Language.
| 运算符/函数Operator/Function | 说明Description | 语法Syntax |
|---|---|---|
| 筛选/搜索/条件Filter/Search/Condition | 通过筛选或搜索来查找相关数据Find relevant data by filtering or searching | |
| wherewhere | 基于特定的谓词进行筛选Filters on a specific predicate | T | where Predicate |
| where contains/haswhere contains/has | Contains:查找任何子字符串匹配项Contains: Looks for any substring match Has:查找特定字词(性能更好)Has: Looks for a specific word (better performance) |
T | where col1 contains/has "[search term]" |
| searchsearch | 在表的所有列中搜索值Searches all columns in the table for the value | [TabularSource |] search [kind=CaseSensitivity] [in (TableSources)] SearchPredicate |
| taketake | 返回指定数量的记录。Returns the specified number of records. 用来测试查询Use to test a query 注意 : _take_ 和 _limit_ 是同义词。Note : _take_ and _limit_ are synonyms. |
T | take NumberOfRows |
| casecase | 添加一个条件语句,类似于其他系统中的 if/then/elseif。Adds a condition statement, similar to if/then/elseif in other systems. | case(predicate_1, then_1, predicate_2, then_2, predicate_3, then_3, else) |
| distinctdistinct | 生成一个表,其中包含输入表中所提供列的不同组合Produces a table with the distinct combination of the provided columns of the input table | distinct [ColumnName], [ColumnName] |
| 日期/时间Date/Time | 使用日期和时间函数的操作Operations that use date and time functions | |
| agoago | 返回相对于查询执行时间的时间偏移量。Returns the time offset relative to the time the query executes. 例如,ago(1h) 是当前时钟读数之前的一小时。For example, ago(1h) is one hour before the current clock's reading. |
ago(a_timespan) |
| format_datetimeformat_datetime | 以各种日期格式返回数据。Returns data in various date formats. | format_datetime(datetime , format) |
| binbin | 将某个时间范围内的所有值进行舍入并对其进行分组Rounds all values in a timeframe and groups them | bin(value,roundTo) |
| 创建/删除列Create/Remove Columns | 在表中添加或删除列Add or remove columns in a table | |
| printprint | 输出包含一个或多个标量表达式的单个行Outputs a single row with one or more scalar expressions | print [ColumnName =] ScalarExpression [',' ...] |
| projectproject | 选择要按指定顺序包括的列Selects the columns to include in the order specified | T | project ColumnName [= Expression] [, ...] 或Or T | project [ColumnName | (ColumnName[,]) =] Expression [, ...] |
| project-awayproject-away | 选择要从输出中排除的列Selects the columns to exclude from the output | T | project-away ColumnNameOrPattern [, ...] |
| project-keepproject-keep | 选择要在输出中保留的列Selects the columns to keep in the output | T | project-keep ColumnNameOrPattern [, ...] |
| project-renameproject-rename | 对结果输出中的列重命名Renames columns in the result output | T | project-rename new_column_name = column_name |
| project-reorderproject-reorder | 对结果输出中的列重新排序Reorders columns in the result output | T | project-reorder Col2, Col1, Col* asc |
| extendextend | 创建一个计算列并将其添加到结果集Creates a calculated column and adds it to the result set | T | extend [ColumnName | (ColumnName[, ...]) =] Expression [, ...] |
| 对数据集进行排序和聚合Sort and Aggregate Dataset | 通过以有意义的方式对数据进行排序或分组来重构数据Restructure the data by sorting or grouping them in meaningful ways | |
| sortsort | 根据一个或多个列按升序或降序为输入表的行排序Sorts the rows of the input table by one or more columns in ascending or descending order | T | sort by expression1 [asc|desc], expression2 [asc|desc], … |
| 返回页首top | 当使用 by 对数据集进行排序时返回数据集的前 N 行Returns the first N rows of the dataset when the dataset is sorted using by |
T | top numberOfRows by expression [asc|desc] [nulls first|last] |
| summarizesummarize | 根据 by 分组列对行进行分组,并计算每个组的聚合Groups the rows according to the by group columns, and calculates aggregations over each group |
T | summarize [[Column =] Aggregation [, ...]] [by [Column =] GroupExpression [, ...]] |
| countcount | 对输入表中的记录进行计数(例如 T)Counts records in the input table (for example, T) 此运算符是 summarize count() 的简写This operator is shorthand for summarize count() |
T | count |
| joinjoin | 通过匹配每个表中指定列的值,合并两个表的行以组成新表。Merges the rows of two tables to form a new table by matching values of the specified column(s) from each table. 支持完整范围的联接类型:flouter、inner、innerunique、leftanti、leftantisemi、leftouter、leftsemi、rightanti、rightantisemi、rightouter、rightsemiSupports a full range of join types: flouter, inner, innerunique, leftanti, leftantisemi, leftouter, leftsemi, rightanti, rightantisemi, rightouter, rightsemi |
LeftTable | join [JoinParameters] ( RightTable ) on Attributes |
| unionunion | 获取两个或多个表,并返回表中的所有行。Takes two or more tables and returns all their rows | [T1] | union [T2], [T3], … |
| rangerange | 生成包含一系列算术值的表Generates a table with an arithmetic series of values | range columnName from start to stop step step |
| 设置数据格式Format Data | 重构数据以便以有用的方式输出Restructure the data to output in a useful way | |
| lookuplookup | 使用在维度表中查找的值扩展事实数据表的列Extends the columns of a fact table with values looked-up in a dimension table | T1 | lookup [kind = (leftouter|inner)] ( T2 ) on Attributes |
| mv-expandmv-expand | 将动态数组转换为行(多值扩展)Turns dynamic arrays into rows (multi-value expansion) | T | mv-expand Column |
| parseparse | 计算字符串表达式并将其值分析为一个或多个计算列。Evaluates a string expression and parses its value into one or more calculated columns. 用于构造非结构化数据。Use for structuring unstructured data. | T | parse [kind=regex [flags=regex_flags] |simple|relaxed] Expression with * (StringConstant ColumnName [: ColumnType]) *... |
| make-seriesmake-series | 沿指定的轴创建指定聚合值的系列Creates series of specified aggregated values along a specified axis | T | make-series [MakeSeriesParamters] [Column =] Aggregation [default = DefaultValue] [, ...] on AxisColumn from start to end step step [by [Column =] GroupExpression [, ...]] |
| letlet | 将名称绑定到可引用其绑定值的表达式。Binds a name to expressions that can refer to its bound value. 值可以是 lambda 表达式,用来创建作为查询的一部分的即席函数。Values can be lambda expressions to create ad-hoc functions as part of the query. 使用 let 基于其结果看起来像新表的表创建表达式。Use let to create expressions over tables whose results look like a new table. |
let Name = ScalarExpression | TabularExpression | FunctionDefinitionExpression |
| 常规General | 其他操作和函数Miscellaneous operations and function | |
| invokeinvoke | 对作为输入的表运行此函数。Runs the function on the table that it receives as input. | T | invoke function([param1, param2]) |
| evaluate pluginNameevaluate pluginName | 评估查询语言扩展(插件)Evaluates query language extensions (plugins) | [T |] evaluate [ evaluateParameters ] PluginName ( [PluginArg1 [, PluginArg2]... ) |
| 可视化Visualization | 以图形格式显示数据的操作Operations that display the data in a graphical format | |
| renderrender | 将结果呈现为图形输出Renders results as a graphical output | T | render Visualization [with (PropertyName = PropertyValue [, ...] )] |