如果你熟悉 SQL 并想要了解 KQL,请将 SQL 查询转换为 KQL,方法是在 SQL 查询前面加上注释行 -- 和关键字 explain。 输出将显示该查询的 KQL 版本,这可以帮助你了解 KQL 语法和概念。
--
explain
SELECT COUNT_BIG(*) as C FROM StormEvents
输出
| 查询 |
|---|
StormEvents<br>| summarize C=count()<br>| project C |
SQL 到 Kusto 备份单
下表显示了以 SQL 编写的示例查询及其 KQL 等效项。
| 类别 | SQL 查询 | Kusto 查询 | 了解更多 |
|---|---|---|---|
| 从表中选择数据 | SELECT * FROM dependencies |
dependencies |
表格表达式语句 |
| -- | SELECT name, resultCode FROM dependencies |
dependencies | project name, resultCode |
project |
| -- | SELECT TOP 100 * FROM dependencies |
dependencies | take 100 |
take |
| Null 评估 | SELECT * FROM dependenciesWHERE resultCode IS NOT NULL |
dependencies | where isnotnull(resultCode) |
isnotnull() |
| 比较运算符(日期) | SELECT * FROM dependenciesWHERE timestamp > getdate()-1 |
dependencies | where timestamp > ago(1d) |
ago() |
| -- | SELECT * FROM dependenciesWHERE timestamp BETWEEN ... AND ... |
dependencies | where timestamp between (datetime(2016-10-01) .. datetime(2016-11-01)) |
between |
| 比较运算符(字符串) | SELECT * FROM dependenciesWHERE type = "Azure blob" |
dependencies | where type == "Azure blob" |
逻辑运算符 |
| -- | -- substringSELECT * FROM dependenciesWHERE type like "%blob%" |
// substringdependencies | where type has "blob" |
has |
| -- | -- wildcardSELECT * FROM dependenciesWHERE type like "Azure%" |
// wildcarddependencies | where type startswith "Azure"// ordependencies | where type matches regex "^Azure.*" |
startswithmatches regex |
| 比较(布尔值) | SELECT * FROM dependenciesWHERE !(success) |
dependencies | where success == False |
逻辑运算符 |
| 分组,聚合 | SELECT name, AVG(duration) FROM dependenciesGROUP BY name |
dependencies | summarize avg(duration) by name |
summarize avg() |
| Distinct | SELECT DISTINCT name, type FROM dependencies |
dependencies | distinct name, type |
summarize distinct |
| -- | SELECT name, COUNT(DISTINCT type) FROM dependencies GROUP BY name |
dependencies| summarize by name, type | summarize count() by name// or approximate for large sets dependencies| summarize dcount(type) by name |
count() dcount() |
| 列别名、扩展 | SELECT operationName as Name, AVG(duration) as AvgD FROM dependenciesGROUP BY name |
dependencies | summarize AvgD = avg(duration) by Name=operationName |
Alias 语句 |
| -- | SELECT conference, CONCAT(sessionid, ' ' , session_title) AS session FROM ConferenceSessions |
ConferenceSessions | extend session=strcat(sessionid, " ", session_title) | project conference, session |
strcat() project |
| 中间件排序 | SELECT name, timestamp FROM dependenciesORDER BY timestamp ASC |
dependencies | project name, timestamp | sort by timestamp asc nulls last |
sort |
| 按度量值排名的前 n 位 | SELECT TOP 100 name, COUNT(*) as Count FROM dependenciesGROUP BY nameORDER BY Count DESC |
dependencies | summarize Count = count() by name | top 100 by Count desc |
返回页首 |
| Union | SELECT * FROM dependenciesUNIONSELECT * FROM exceptions |
union dependencies, exceptions |
union |
| -- | SELECT * FROM dependenciesWHERE timestamp > ...UNIONSELECT * FROM exceptionsWHERE timestamp > ... |
dependencies | where timestamp > ago(1d) | union (exceptions | where timestamp > ago(1d)) |
|
| 联接 | SELECT * FROM dependencies LEFT OUTER JOIN exceptionsON dependencies.operation_Id = exceptions.operation_Id |
dependencies | join kind = leftouter (exceptions)on $left.operation_Id == $right.operation_Id |
join |
| 嵌套查询 | SELECT * FROM dependenciesWHERE resultCode == (SELECT TOP 1 resultCode FROM dependenciesWHERE resultId = 7ORDER BY timestamp DESC) |
dependencies | where resultCode == toscalar( dependencies | where resultId == 7 | top 1 by timestamp desc | project resultCode) |
toscalar |
| Having | SELECT COUNT(\*) FROM dependenciesGROUP BY nameHAVING COUNT(\*) > 3 |
dependencies | summarize Count = count() by name | where Count > 3 |
summarize where |
相关内容
- 使用 T-SQL 查询数据