Kusto Query Language (KQL) - Where Operator
Basic Syntax:
The basic syntax for the where
operator is as follows:
TableName
| where [condition]
TableName
: Specifies the name of the table you want to filter.condition
: Specifies the filtering condition that determines which rows to include in the result.
Common Use Cases:
1. Basic Filtering:
The where
operator is commonly used to filter rows based on simple conditions. For example:
MyTable
| where MyColumn > 50
2. Complex Conditions:
You can use logical operators like and
, or
, and not
to create complex filtering conditions:
MyTable
| where (Column1 > 10 and Column2 = "value") or not (Column3 isnull())
3. String Matching:
For text-based columns, you can use string functions and operators for matching patterns:
MyTable
| where MyColumn contains "pattern"
4. Date and Time Filtering:
You can filter rows based on date and time criteria using functions like datetime()
:
MyTable
| where EventDate >= datetime(2023-01-01) and EventDate < datetime(2023-02-01)
5. Combining Operators:
Combine the where
operator with other operators like project
and extend
for more advanced queries:
MyTable
| extend NewColumn = Column1 * 2
| where NewColumn > 100
The where
operator is a fundamental tool for filtering data in Kusto Query Language, allowing you to narrow down results based on specified conditions.