# KQL Queries

This page provides examples and suggestions for writing **Kusto Query Language (KQL)** commands in **ShyftSearch**.\
Use this guide to understand how to construct queries for filtering, summarizing, projecting, and organizing your dataset results effectively.

{% hint style="info" %}
**Before writing a KQL query**, you must specify the dataset ID to define the data source. Use the following format:\
`dataset <DataSet_ID>`   \
&#x20;&#x20;

Add a `|` (pipe) before every KQL command to separate query operations.\
Example:

dataset LinuxEvents \
\| summarize \<result\_field>=mean()
{% endhint %}

#### Where Clause

Used to filter records based on specific conditions.

```
| where <field> == <value>
| where <field> != <value>
| where <field> > <value>
| where <field> >= <value>
| where <field> < <value>
| where <field> <= <value>
| where <field> contains <value>
| where <field> contains_any [<value1>, <value2>]
| where <field> in [<value1>, <value2>]
| where <field> == <value> or <field> == <value>
| where <field> == <value> and <field> != <value>
```

#### Summarize Clause

Used to perform aggregations such as count, sum, mean, median, or mode.

```
| summarize <result_field>=count()
| summarize <result_field>=count() by <field>
| summarize <result_field>=sum(<field>)
| summarize <result_field>=sum(<field>) by <field>
| summarize <result_field>=mean(<field>)
| summarize <result_field>=mean(<field>) by <field>
| summarize <result_field>=median(<field>)
| summarize <result_field>=median(<field>) by <field>
| summarize <result_field>=mode(<field>)
| summarize <result_field>=mode(<field>) by <field>
| summarize <result_field>=max(<field>)
| summarize <result_field>=max(<field>) by <field>
| summarize <result_field>=min(<field>)
| summarize <result_field>=min(<field>) by <field>
```

#### Time Summarization (tsummarize)

Used for time-based aggregations over defined intervals.

```
| tsummarize <result_field>=count() by eventtime span=1m
| tsummarize <result_field>=sum(<field>) by eventtime span=1m
| tsummarize <result_field>=median(<field>) by eventtime span=1m
| tsummarize <result_field>=mode(<field>) by eventtime span=1m
| tsummarize <result_field>=max(<field>) by eventtime span=1m
| tsummarize <result_field>=min(<field>) by eventtime span=1m
```

#### Project Clause

Used to select or remove specific columns from the result.

```
| project <field>
| project <field1>, <field2>
| project <field-wildcard>
| project-away <field-wildcard>
```

#### Enrich Clause

Used to enhance a dataset by joining data from another dataset.

```
| enrich dataset=<lookup_dataset> object=<lookup_file> commonfield=<field> strategy=left
```

#### Rename Clause

Used to rename one or more fields in the dataset.

```
| rename <old_field> as <new_field>
| rename <f1> as <f1_new>, <f2> as <f2_new>
```

#### Order Clause

Used to sort results in ascending or descending order.

```
| order by <field> asc
| order by <field> desc
| order by <field1> desc, <field2> asc
```

#### Take Clause

Used to limit the number of returned records.

```
| take 10
| take 100
| take 1000
| take <number>
```

#### Dataset Clause

Used to specify which dataset to query.

```
dataset <dataset_name>
dataset aws_flowlogs
dataset gcp_flowlogs
dataset local_file_logs
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://supercloudnow.gitbook.io/supercloudnow-docs/undefined/usage-guide/datasets/basic/kql-queries.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.