In the last post we went through setting up a log workspace and setting up diagnostic setting to send data to the workspace.
In this post we will be going through using the different KQL operators
First we will use the search operator to return all data in the log workspace, this can be useful when trying to find a the table we want to query or see specific event type.
search *
If we want to return specific number for of rows but not in specific order we can use take 10
Table
|take 10 
To return a list of unique values in a column we can use distinct.
Table
| distinct AppDisplayName
To select multiple rows we can use the or operator
Table
| where colume_name contains "value" or colume_name contains "value" Signup Portal"
| project value1, value2
To order the data we can use order by
Table
| where colume_name contains "value" or colume_name contains "value" Signup Portal"
| order by type
| project value1, value2
To return the first set to rows we can use top
Table
| top 10 by colume_name
| project value1 
To return data between a specific date and time we can use the between operator
Table
| where TimeGenerated between (datetime(2023-08-14T19:12:00) .. datetime(2023-08-15T19:12:00))
In the next post we will go through Query and Structure Data, as well as creating data in visualizing data in charts using the render operator.
TheSleepyAdmins 
One thought on “Getting Started with KQL Part 2: Working with Operators”