KQL Cheat Sheet
Not all of these queries will work for you, as you may not have the same extended columns. These should primarily be used as reference and adjusted to your own columns if there are discrepancies.
-- logs within the last 2 weeks
<table>
| where timestamp > ago(14d)
--logs in a minute of time
<table>
| where timestamp between (datetime("12/18/2021, 3:50:10.021 PM" .. datetime("12/18/2021, 3:51:10.021 PM") )
--on date 2021-01-02
<table>
| where timestamp > datetime(2021-01-01) and timestamp < datetime(2021-01-03)
--pluck out columns using `project`
<table>
| project, message, timestamp, customDimensions
--take n rows
<table>
| take 5
--ordering by
<table>
| top 5 by timestamp
--group count and take top
<table>
| summarize Count=count() by message
| top 5 by Count
--distinct sessions by country count
<table>
| summarize Count=dcount(session_Id) by client_CountryOrRegion
| sort by Count desc
--add derived column using `extend`
<table>
| extend level=customDimensions.level
--count by day
<table>
| summarize count() by bin(timestamp, 1d)
--engagement by country
<table>
| where customDimensions.level == 30
| summarize UniqueSessions=dcount(tostring(customDimensions.sessionId)), Events=count() by client_CountryOrRegion
| extend AverageEventsPerSession = Events / UniqueSessions
| sort by AverageEventsPerSession desc
--average errors per session
<table>
| where customDimensions.level == 30
| summarize session_count=dcount(tostring(customDimensions.sessionId)),
event_count=count() by bin(timestamp, 1d)
| extend average_errors_per_session = event_count / session_count
| sort by timestamp asc
| project average_errors_per_session, timestamp
| render columnchart
--top error types recent version in pie chart
<table>
| where level == 50 and appVersion == "someVersionHash"
| summarize count() by message
| sort by count_ desc
| take 10
| render piechart