Back to Details

azure-data-explorer-kusto-queries

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Azure Data Explorer & Kusto Query Language

Azure Data Explorer & Kusto Query Language

Comprehensive skill for Azure Data Explorer (ADX) - Microsoft's fast, fully managed data analytics service for real-time analysis on large volumes of streaming data.
这是针对Azure Data Explorer (ADX)的全面指南——ADX是微软推出的一款快速、全托管的数据分析服务,可对海量流式数据进行实时分析。

Quick Reference

快速参考

TaskGo To
Write a KQL querykql-query-language/
Ingest data into ADXdata-ingestion/
Create dashboardsvisualization-dashboards/
Time series / MLtime-series-ml/
Manage tables / policiesmanagement-commands/
任务跳转至
编写KQL查询kql-query-language/
向ADX引入数据data-ingestion/
创建仪表板visualization-dashboards/
时序/机器学习分析time-series-ml/
管理表/策略management-commands/

KQL Essentials

KQL核心要点

Query Structure

查询结构

kql
TableName
| where TimeGenerated > ago(1h)
| where Level == "Error"
| summarize Count = count() by bin(TimeGenerated, 5m), Source
| order by TimeGenerated desc
kql
TableName
| where TimeGenerated > ago(1h)
| where Level == "Error"
| summarize Count = count() by bin(TimeGenerated, 5m), Source
| order by TimeGenerated desc

Top 10 Operators

十大常用运算符

OperatorPurposeExample
where
Filter rows
where Status == 200
project
Select columns
project Name, Age
extend
Add computed column
extend Duration = EndTime - StartTime
summarize
Aggregate
summarize count() by Category
join
Combine tables
join kind=inner OtherTable on Key
order by
Sort results
order by Timestamp desc
take
Limit rows
take 100
distinct
Unique values
distinct UserName
parse
Extract from string
parse Message with * "error:" ErrorMsg
mv-expand
Expand arrays
mv-expand Tags
运算符用途示例
where
筛选行
where Status == 200
project
选择列
project Name, Age
extend
添加计算列
extend Duration = EndTime - StartTime
summarize
聚合数据
summarize count() by Category
join
关联表
join kind=inner OtherTable on Key
order by
排序结果
order by Timestamp desc
take
限制行数
take 100
distinct
获取唯一值
distinct UserName
parse
从字符串提取内容
parse Message with * "error:" ErrorMsg
mv-expand
展开数组
mv-expand Tags

Common Patterns

常见模式

Time filtering:
kql
| where TimeGenerated > ago(24h)
| where TimeGenerated between (datetime(2024-01-01) .. datetime(2024-01-31))
Aggregation:
kql
| summarize
    Count = count(),
    AvgDuration = avg(Duration),
    P95 = percentile(Duration, 95)
  by bin(TimeGenerated, 1h)
String searching (prefer 
has
over 
contains
for performance):
kql
| where Message has "error"        // Fast - word boundary match
| where Message contains "err"     // Slow - substring match
Join:
kql
Table1
| join kind=leftouter (Table2) on CommonKey
时间筛选:
kql
| where TimeGenerated > ago(24h)
| where TimeGenerated between (datetime(2024-01-01) .. datetime(2024-01-31))
数据聚合:
kql
| summarize
    Count = count(),
    AvgDuration = avg(Duration),
    P95 = percentile(Duration, 95)
  by bin(TimeGenerated, 1h)
字符串搜索(性能上优先使用
has
而非
contains
):
kql
| where Message has "error"        // 快速匹配 - 基于词边界
| where Message contains "err"     // 慢速匹配 - 子字符串匹配
表关联:
kql
Table1
| join kind=leftouter (Table2) on CommonKey

Feature Areas

功能领域

1. KQL Query Language

1. KQL查询语言

645+ functions and operators for data analysis.
Reference: feature-area-skill-resources/kql-query-language/reference.md
  • Tabular operators (where, project, summarize, join, union, etc.)
  • Scalar functions (string, datetime, math, conditional)
  • Aggregation functions (count, sum, avg, dcount, percentile)
  • Data types (string, datetime, dynamic, real, bool, etc.)
Best Practices: feature-area-skill-resources/kql-query-language/best-practices.md
  • Query optimization techniques
  • String operator performance (
    has
    vs 
    contains
    )
  • Join strategies and hints
Examples: feature-area-skill-resources/kql-query-language/examples.md
包含645+用于数据分析的函数和运算符。
参考文档: feature-area-skill-resources/kql-query-language/reference.md
  • 表格运算符(where、project、summarize、join、union等)
  • 标量函数(字符串、日期时间、数学运算、条件判断)
  • 聚合函数(count、sum、avg、dcount、percentile)
  • 数据类型(string、datetime、dynamic、real、bool等)
最佳实践: feature-area-skill-resources/kql-query-language/best-practices.md
  • 查询优化技巧
  • 字符串运算符性能对比(
    has
    vs 
    contains
  • 关联策略与提示
示例: feature-area-skill-resources/kql-query-language/examples.md

2. Data Ingestion

2. 数据引入

Multiple methods to get data into ADX.
Reference: feature-area-skill-resources/data-ingestion/reference.md
  • Streaming ingestion (low latency, <4MB)
  • Queued/batched ingestion (high throughput)
  • Connectors: Event Hubs, Event Grid, IoT Hub, Kafka, Spark
  • Ingestion mappings (CSV, JSON, Parquet, Avro)
Best Practices: feature-area-skill-resources/data-ingestion/best-practices.md
  • Choosing streaming vs queued ingestion
  • Batching policy tuning
  • Error handling
Examples: feature-area-skill-resources/data-ingestion/examples.md
多种向ADX导入数据的方法。
参考文档: feature-area-skill-resources/data-ingestion/reference.md
  • 流式引入(低延迟,<4MB)
  • 队列/批量引入(高吞吐量)
  • 连接器:Event Hubs、Event Grid、IoT Hub、Kafka、Spark
  • 引入映射(CSV、JSON、Parquet、Avro)
最佳实践: feature-area-skill-resources/data-ingestion/best-practices.md
  • 流式引入与队列引入的选择
  • 批量策略调优
  • 错误处理
示例: feature-area-skill-resources/data-ingestion/examples.md

3. Visualization & Dashboards

3. 可视化与仪表板

Native dashboards and external integrations.
Reference: feature-area-skill-resources/visualization-dashboards/reference.md
  • Native ADX dashboards
  • render
    operator for inline visualization
  • Power BI integration (DirectQuery, Import)
  • Grafana integration
Best Practices: feature-area-skill-resources/visualization-dashboards/best-practices.md
  • Dashboard design principles
  • Chart type selection
  • Performance optimization
Examples: feature-area-skill-resources/visualization-dashboards/examples.md
原生仪表板及外部集成。
参考文档: feature-area-skill-resources/visualization-dashboards/reference.md
  • ADX原生仪表板
  • render
    运算符用于内联可视化
  • Power BI集成(DirectQuery、导入模式)
  • Grafana集成
最佳实践: feature-area-skill-resources/visualization-dashboards/best-practices.md
  • 仪表板设计原则
  • 图表类型选择
  • 性能优化
示例: feature-area-skill-resources/visualization-dashboards/examples.md

4. Time Series & Machine Learning

4. 时序与机器学习

Advanced analytics for IoT, monitoring, and forecasting.
Reference: feature-area-skill-resources/time-series-ml/reference.md
  • make-series
    operator
  • Decomposition: 
    series_decompose
    , 
    series_decompose_anomalies
  • Forecasting: 
    series_decompose_forecast
  • Python/R plugins for custom ML
  • ONNX model inference
Best Practices: feature-area-skill-resources/time-series-ml/best-practices.md
  • When to use time series analysis
  • Anomaly detection tuning
  • Native functions vs plugins
Examples: feature-area-skill-resources/time-series-ml/examples.md
面向物联网、监控与预测的高级分析。
参考文档: feature-area-skill-resources/time-series-ml/reference.md
  • make-series
    运算符
  • 分解分析:
    series_decompose
    series_decompose_anomalies
  • 预测分析:
    series_decompose_forecast
  • 用于自定义机器学习的Python/R插件
  • ONNX模型推理
最佳实践: feature-area-skill-resources/time-series-ml/best-practices.md
  • 何时使用时序分析
  • 异常检测调优
  • 原生函数vs插件
示例: feature-area-skill-resources/time-series-ml/examples.md

5. Management Commands

5. 管理命令

297+ commands for schema, policies, and security.
Reference: feature-area-skill-resources/management-commands/reference.md
  • Schema management (tables, columns, functions)
  • 30+ policy types (retention, caching, partitioning, RLS)
  • Materialized views
  • Security roles and access control
Best Practices: feature-area-skill-resources/management-commands/best-practices.md
  • Policy configuration patterns
  • Schema design guidelines
  • Access control best practices
Examples: feature-area-skill-resources/management-commands/examples.md
297+用于架构、策略与安全的命令。
参考文档: feature-area-skill-resources/management-commands/reference.md
  • 架构管理(表、列、函数)
  • 30+种策略类型(保留、缓存、分区、行级安全)
  • 物化视图
  • 安全角色与访问控制
最佳实践: feature-area-skill-resources/management-commands/best-practices.md
  • 策略配置模式
  • 架构设计指南
  • 访问控制最佳实践
示例: feature-area-skill-resources/management-commands/examples.md

6. API & SDK Integration

6. API与SDK集成

Programmatic access via REST API and client SDKs.
Reference: feature-area-skill-resources/api-sdk-integration/reference.md
  • REST API endpoints and authentication
  • .NET, Python, Java, Node.js, Go SDKs
  • Connection string formats
Best Practices: feature-area-skill-resources/api-sdk-integration/best-practices.md
Examples: feature-area-skill-resources/api-sdk-integration/examples.md
通过REST API和客户端SDK实现程序化访问。
参考文档: feature-area-skill-resources/api-sdk-integration/reference.md
  • REST API端点与认证
  • .NET、Python、Java、Node.js、Go SDK
  • 连接字符串格式
最佳实践: feature-area-skill-resources/api-sdk-integration/best-practices.md
示例: feature-area-skill-resources/api-sdk-integration/examples.md

7. Security & Access Control

7. 安全与访问控制

Authentication, authorization, and data protection.
Reference: feature-area-skill-resources/security-access-control/reference.md
  • Microsoft Entra ID authentication
  • RBAC roles and row-level security
  • Network security and private endpoints
  • Customer-managed keys (CMK)
Best Practices: feature-area-skill-resources/security-access-control/best-practices.md
Examples: feature-area-skill-resources/security-access-control/examples.md
认证、授权与数据保护。
参考文档: feature-area-skill-resources/security-access-control/reference.md
  • Microsoft Entra ID认证
  • RBAC角色与行级安全
  • 网络安全与专用端点
  • 客户管理密钥(CMK)
最佳实践: feature-area-skill-resources/security-access-control/best-practices.md
示例: feature-area-skill-resources/security-access-control/examples.md

8. Cluster Management

8. 集群管理

Cluster operations, scaling, and monitoring.
Reference: feature-area-skill-resources/cluster-management/reference.md
  • SKU selection and sizing
  • Auto-scale configuration
  • Monitoring and diagnostics
Best Practices: feature-area-skill-resources/cluster-management/best-practices.md
Examples: feature-area-skill-resources/cluster-management/examples.md
集群操作、扩缩容与监控。
参考文档: feature-area-skill-resources/cluster-management/reference.md
  • SKU选择与规格规划
  • 自动扩缩容配置
  • 监控与诊断
最佳实践: feature-area-skill-resources/cluster-management/best-practices.md
示例: feature-area-skill-resources/cluster-management/examples.md

9. Business Continuity

9. 业务连续性

High availability and disaster recovery.
Reference: feature-area-skill-resources/business-continuity/reference.md
  • Follower databases
  • Cross-region replication
  • Backup and restore
Best Practices: feature-area-skill-resources/business-continuity/best-practices.md
Examples: feature-area-skill-resources/business-continuity/examples.md
高可用性与灾难恢复。
参考文档: feature-area-skill-resources/business-continuity/reference.md
  • 跟随数据库
  • 跨区域复制
  • 备份与恢复
最佳实践: feature-area-skill-resources/business-continuity/best-practices.md
示例: feature-area-skill-resources/business-continuity/examples.md

10. Integration Services

10. 集成服务

Azure service integrations.
Reference: feature-area-skill-resources/integration-services/reference.md
  • Azure Monitor, Synapse, Data Factory
  • Logic Apps, Power Automate
  • Cross-product queries
Best Practices: feature-area-skill-resources/integration-services/best-practices.md
Examples: feature-area-skill-resources/integration-services/examples.md
Azure服务集成。
参考文档: feature-area-skill-resources/integration-services/reference.md
  • Azure Monitor、Synapse、Data Factory
  • Logic Apps、Power Automate
  • 跨产品查询
最佳实践: feature-area-skill-resources/integration-services/best-practices.md
示例: feature-area-skill-resources/integration-services/examples.md

11. UDF Functions Library

11. UDF函数库

Pre-built user-defined functions for advanced analytics.
Reference: feature-area-skill-resources/udf-functions-library/reference.md
  • Statistical tests (t-test, KS test, normality)
  • ML functions (K-means, DBSCAN)
  • Time series and text analytics UDFs
Best Practices: feature-area-skill-resources/udf-functions-library/best-practices.md
Examples: feature-area-skill-resources/udf-functions-library/examples.md
用于高级分析的预构建用户定义函数。
参考文档: feature-area-skill-resources/udf-functions-library/reference.md
  • 统计测试(t检验、KS检验、正态性检验)
  • 机器学习函数(K-means、DBSCAN)
  • 时序与文本分析UDF
最佳实践: feature-area-skill-resources/udf-functions-library/best-practices.md
示例: feature-area-skill-resources/udf-functions-library/examples.md

12. Tools & Clients

12. 工具与客户端

Desktop, CLI, and web tools.
Reference: feature-area-skill-resources/tools-clients/reference.md
  • Kusto.Explorer (desktop IDE)
  • Kusto.Cli (command line)
  • Web UI and Emulator
Best Practices: feature-area-skill-resources/tools-clients/best-practices.md
Examples: feature-area-skill-resources/tools-clients/examples.md
桌面、CLI与Web工具。
参考文档: feature-area-skill-resources/tools-clients/reference.md
  • Kusto.Explorer(桌面IDE)
  • Kusto.Cli(命令行工具)
  • Web UI与模拟器
最佳实践: feature-area-skill-resources/tools-clients/best-practices.md
示例: feature-area-skill-resources/tools-clients/examples.md

Resources

资源

Official Documentation

官方文档

The complete Microsoft documentation is available as a submodule at: 
submodules/dataexplorer-docs/
完整的微软文档作为子模块存放在: 
submodules/dataexplorer-docs/

Investigation Reports

调研报告

Detailed analysis from the skill creation process:
  • investigation-reports/repository-layout/
    - Repo structure analysis
  • investigation-reports/feature-overview/
    - Feature taxonomy and mapping
  • investigation-reports/feature-in-depth/
    - Comprehensive research per feature
技能创建过程中的详细分析:
  • investigation-reports/repository-layout/
    - 仓库结构分析
  • investigation-reports/feature-overview/
    - 功能分类与映射
  • investigation-reports/feature-in-depth/
    - 各功能的全面调研

See Also

另请参阅