Azure Data Explorer Functions and Control Commands
A new employee on our team recently went through the Pluralsight Kusto course and gave it the thumbs up. However, based on the way we use Azure Data Explorer internally, there are a couple major features that we needed to teach him about.
The first is the ability to define functions. Ad-hoc investigations are regularly performed with straight queries, but anytime we create something useful and/or want to share with others, we create a function. There are three types of functions:
- Built-in functions like coalesce() or iif()
- Temporary functions defined in your query via a let statement
- Custom stored functions
That last type of function is the one that is useful for storing and sharing queries. The general flow we use is to author the query as normal and then when we get it to a good state, we store it as a function. The most basic syntax to create a function is:
.create function foo()
And you can easily add parameters to the function like this:
.create function foo(a:string, b:datetime)
Creating a function is a very basic way to collaborating on a query and it scales better than sending copies of it via email.
The second feature that we introduced our new teammate to was control commands. Control commands let you interact with the Azure Data Explorer service to view metadata, modify schema, etc. All control commands begin with a period and the period must be the first character in your query. (This means that control commands cannot be inside functions or chained together.) Not all control commands are available to all users, but here are some common ones that you'll run across:
- Creating and altering tables and functions is done via control commands.
- There are a variety of "show" commands but some of the most useful are ".show queries" and ".show journal".
Keep calm and Kusto on!