KQL Cheat Sheet for Microsoft Fabric (DP-700)

Essential KQL Commands

search
Purpose: Search all columns in all tables
Example: search "error"
where
Purpose: Filter rows
Example: | where State == "Texas"
project
Purpose: Select/rename columns
Example: | project Name, Age
extend
Purpose: Add a new calculated column
Example: | extend Year = Age + 10
summarize
Purpose: Aggregate data (like GROUP BY)
Example: | summarize count() by Country
order by
Purpose: Sort results
Example: | order by Timestamp desc
limit / take
Purpose: Limit number of rows
Example: | limit 5
join
Purpose: Combine tables on a key
Example: Table1 | join Table2 on ID
union
Purpose: Combine rows from multiple tables
Example: union Table1, Table2
mv-expand
Purpose: Expand arrays/lists into rows
Example: | mv-expand Tags
parse
Purpose: Extract values from strings
Example: | parse Message with "Status:" StatusCode
bin()
Purpose: Group timestamps
Example: | summarize count() by bin(Timestamp, 1h)
ago()
 Purpose: Filter by time range
Example: | where Timestamp > ago(1d)
distinct
Purpose: Get unique values
Example: | distinct City

Practice Scenario 1: Count Events in Texas

Table: StormEvents(EventType, State, Fatalities, Timestamp)
Goal: Count each EventType in Texas, sorted by frequency.

Query:
StormEvents
| where State == "TEXAS"
| summarize TotalEvents = count() by EventType
| order by TotalEvents desc

Practice Scenario 2: Time Filtering

Goal: Count how many events happened in the last 7 days, grouped by State.

Query:
StormEvents
| where Timestamp > ago(7d)
| summarize EventCount = count() by State
| order by EventCount desc

Practice Scenario 3: Join Tables

Tables:
- StormEvents(EventID, State, EventType)
- EventDetails(EventID, Description)

Goal: Join to get EventType and Description.

Query:
StormEvents
| join kind=inner (
EventDetails
) on EventID
| project EventID, EventType, Description