### Using Shuffle Hint for High Cardinality Operations Source: https://github.com/lonkecxd/architecture-best-practices-for-log-analytics/blob/main/KQL_best_practices.md Applies the 'hint.shufflekey' to guide the query engine on how to distribute data for operations like 'summarize' or 'join' with high cardinality keys. ```Kusto Query Language hint.shufflekey= ``` -------------------------------- ### Counting Query Results Source: https://github.com/lonkecxd/architecture-best-practices-for-log-analytics/blob/main/KQL_best_practices.md Uses the 'count' operator to quickly get the number of rows returned by a query without retrieving the data itself. ```Kusto Query Language count ``` -------------------------------- ### Referencing Table Fully Qualified Cluster Name KQL Source: https://github.com/lonkecxd/architecture-best-practices-for-log-analytics/blob/main/KQL_best_practices.md This snippet shows another example of a fully qualified reference to a table, using the cluster's name instead of the service URL. Like other fully qualified names, this is primarily for cross-cluster scenarios and should be avoided for entities within the database-in-scope. ```KQL cluster("X.Y.kusto.windows.net").database("DB").T ``` -------------------------------- ### Using Broadcast Hint for Small Left-Side Joins Source: https://github.com/lonkecxd/architecture-best-practices-for-log-analytics/blob/main/KQL_best_practices.md Applies the 'hint.strategy=broadcast' to optimize joins where the left-side table is small (up to 100MB), broadcasting it to all nodes. ```Kusto Query Language hint.strategy=broadcast ``` -------------------------------- ### Case-Insensitive String Comparison (Preferred) Source: https://github.com/lonkecxd/architecture-best-practices-for-log-analytics/blob/main/KQL_best_practices.md Uses the case-insensitive match operator '=~' for comparing a column value against a lowercase string. ```Kusto Query Language Col =~ "lowercasestring" ``` -------------------------------- ### Case-Sensitive String Comparison (Uppercase) Source: https://github.com/lonkecxd/architecture-best-practices-for-log-analytics/blob/main/KQL_best_practices.md Performs a case-sensitive comparison using the '==' operator when the column data is known to be in uppercase. ```Kusto Query Language Col == "UPPERCASESTRING" ``` -------------------------------- ### Case-Sensitive String Comparison (Lowercase) Source: https://github.com/lonkecxd/architecture-best-practices-for-log-analytics/blob/main/KQL_best_practices.md Performs a case-sensitive comparison using the '==' operator when the column data is known to be in lowercase. ```Kusto Query Language Col == "lowercasestring" ``` -------------------------------- ### Referencing Table Unqualified KQL Source: https://github.com/lonkecxd/architecture-best-practices-for-log-analytics/blob/main/KQL_best_practices.md This snippet shows the simplest way to reference a table within the current database scope using its unqualified name. This is the recommended approach when the entity is in the database-in-scope as it is easier to read and typically performs better. ```KQL T ``` -------------------------------- ### Extracting Values with extract() Function Source: https://github.com/lonkecxd/architecture-best-practices-for-log-analytics/blob/main/KQL_best_practices.md Uses the 'extract()' function with a regular expression to extract values from strings that may not follow a consistent format or pattern. ```Kusto Query Language extract() ``` -------------------------------- ### Referencing Table Database Qualified KQL Source: https://github.com/lonkecxd/architecture-best-practices-for-log-analytics/blob/main/KQL_best_practices.md This snippet demonstrates referencing a table using a database qualifier. While Kusto can often optimize this for entities within the same cluster, it is generally best to avoid qualification when referencing entities in the database-in-scope. ```KQL database("DB").T ``` -------------------------------- ### Querying a Materialized View Source: https://github.com/lonkecxd/architecture-best-practices-for-log-analytics/blob/main/KQL_best_practices.md Uses the 'materialized_view()' function to query only the materialized part of a view, which is faster for commonly used aggregations. ```Kusto Query Language materialized_view('MV') ``` -------------------------------- ### Referencing Table Fully Qualified Service URL KQL Source: https://github.com/lonkecxd/architecture-best-practices-for-log-analytics/blob/main/KQL_best_practices.md This snippet shows a fully qualified reference to a table, including the cluster service URL and database name. Fully qualified names are necessary for cross-cluster queries but should be avoided for entities within the database-in-scope. ```KQL cluster("").database("DB").T ``` -------------------------------- ### Optimizing Lookup for Rare Keys in Dynamic Objects (Do) Source: https://github.com/lonkecxd/architecture-best-practices-for-log-analytics/blob/main/KQL_best_practices.md Filters records using the 'has' operator before parsing the dynamic object to improve performance when searching for rare values across millions of rows. ```Kusto Query Language MyTable | where DynamicColumn has "Rare value" | where DynamicColumn.SomeKey == "Rare value" ``` -------------------------------- ### Case-Insensitive String Comparison (Inefficient) Source: https://github.com/lonkecxd/architecture-best-practices-for-log-analytics/blob/main/KQL_best_practices.md Applies the 'tolower' function to the column before comparison, which can be less efficient than using the '=~' operator, especially on large datasets. ```Kusto Query Language tolower(Col) == "lowercasestring" ``` -------------------------------- ### Limiting Query Results Source: https://github.com/lonkecxd/architecture-best-practices-for-log-analytics/blob/main/KQL_best_practices.md Uses the 'limit' operator to restrict the number of rows returned, useful for exploring unknown datasets without returning excessive data. ```Kusto Query Language limit [small number] ``` -------------------------------- ### Filtering on Calculated Columns (Efficient Pattern) Source: https://github.com/lonkecxd/architecture-best-practices-for-log-analytics/blob/main/KQL_best_practices.md Applies the filter predicate directly using the calculated expression within the 'where' operator, avoiding the need to materialize the calculated column first. ```Kusto Query Language T | where predicate(Expression) ``` -------------------------------- ### Inefficient Lookup for Rare Keys in Dynamic Objects (Don't) Source: https://github.com/lonkecxd/architecture-best-practices-for-log-analytics/blob/main/KQL_best_practices.md Directly accesses and parses the dynamic object on all rows, which is inefficient when searching for rare values across many records. ```Kusto Query Language MyTable | where DynamicColumn.SomeKey == "Rare value" ``` -------------------------------- ### Filtering on Calculated Columns (Inefficient Pattern) Source: https://github.com/lonkecxd/architecture-best-practices-for-log-analytics/blob/main/KQL_best_practices.md Creates a new extended column for the calculated value before filtering, which can be less efficient than filtering directly on the expression. ```Kusto Query Language T | extend _value = Expression | where predicate(_value) ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.