There's a typo here:

Really we should return OperatorKind.NotEndsWithCs in this case. This is causing the ReferencedSymbol for the BinaryOperatorExpression node to reference the wrong symbol (Operators.NotEndsWith Vs. Operators.NotEndsWithCs)

Hello,

Current Behavior of "summarize by"

Currently, using "summarize by " throw the following error:
Summarize group key 'dynamic column' is of a 'dynamic' type. Please use an explicit cast (for example, 'summarize ... by tostring(process_path)') as grouping by a 'dynamic' type is not supported.

Enhancement proposition

Enhancement could be "summarize" casting by default to string any column specified after the "by" clause before proceeding to the aggregation. Usability will be greatly improved by removing useless tostring(mycol).
I don't think this change will cause compatibility issues because of the current behavior raising an error, so that no query could be working currently if there isn't an explicit cast.

hopefully

Hi,
I follow this guide find all the database tables referenced in a query to extract tables.

While I found an interesting thing that it seems the query length has an impact on the result. I try for a query with length over 200 and 4 reference table. The parsing results only return 2 tables, the rest 2 tables location are behind the 100th characters .

Is there a limitation with the query length or query complexity?
Thank you!

The ad_flag column exists and clearly visible in the results, but intellisense complains that it doesn't.

Hi, we're using the JS version of the packages and noticed the typings are not correct, I can't find Bridge.NET library anywhere to see how those typings are generated.

Typing errors:

  Named property 'GetEnumerator' of types 'SyntaxList' and 'IReadOnlyList$1<TElement>' are not identical.

15915     interface SyntaxList$1<TElement> extends Kusto.Language.Syntax.SyntaxList,System.Collections.Generic.IReadOnlyList$1<TElement> {
                    ~~~~~~~~~~~~

node_modules/@kusto/language-service-next/Kusto.Language.Bridge.d.ts:15915:15 - error TS2320: Interface 'SyntaxList$1<TElement>' cannot simultaneously extend types 'SyntaxList' and 'IReadOnlyList$1<TElement>'.
  Named property 'getItem' of types 'SyntaxList' and 'IReadOnlyList$1<TElement>' are not identical.

15915     interface SyntaxList$1<TElement> extends Kusto.Language.Syntax.SyntaxList,System.Collections.Generic.IReadOnlyList$1<TElement> {
                    ~~~~~~~~~~~~

node_modules/@kusto/language-service-next/Kusto.Language.Bridge.d.ts:15917:29 - error TS2694: Namespace 'System' has no exported member 'Type'.

15917         ElementType: System.Type | null;
                                  ~~~~

node_modules/@kusto/language-service-next/Kusto.Language.Bridge.d.ts:22280:29 - error TS2694: Namespace 'System' has no exported member 'Type'.

22280         ElementType: System.Type | null;
                                  ~~~~


Found 4 errors.

Any information would be much appreciated!
Thx

This works:

ADFActivityRun
| where TimeGenerated > ago(3d)
| extend  duration2 = (End - Start)

This fail:

 ADFActivityRun
| where TimeGenerated > ago(3d)
 extend duration2 = format_datetime((End - Start),'y-M-d h:m:s.fffffff')

Redundant but just in case, fail too

 ADFActivityRun
| where TimeGenerated > ago(3d)
extend duration2 = format_datetime((todatetime(End) - todatetime(Start)),'y-M-d h:m:s.fffffff')

Is there any official Microsoft-provided Grammar file for Kusto? I have been unable to locate one. There are various third-party / unofficial ones bouncing around Github for various parsers, but it would be much simpler to support Kusto with an official and known accurate reference grammar file.

I found that even in trivial cases, real Kusto seems to widen int's to long's, which doesn't match Kusto.Language analysis behavior.

Something as simple as the Add operator illustrates this:

print v=int(1) + int(2)

Kusto.Language analysis of query indicates the result type is (v: int), but real Kusto produces (v:long) (verified using print v=gettype(int(1) + int(2))).

Are there docs to explain this behavior and whether this is expected or if it is a bug in the analyzer or in the engine?

Possibly related

See also: #67

The same kind of widening might be playing a role for a function call like bin(int(9), int(5)). Instead of produing int, real Kusto produces long. Not sure if arguments are always widened from int to long, or if the bin function simply isn't implemented for int inputs.

Currently, SyntaxList does not support LINQ queries, e.g.

SyntaxList elements = ...
elements.Select(x => x.ToString());

This can be supported by having the class implement IEnumerable<SyntaxElement>.

It is comparable to Microsoft.CodeAnalysis.SyntaxList.

I'm not sure if this is a bug on KQL's side, or my side, but I decided to report it because I can't get it to work and it's providing unexpected behavior.

DeviceProcessEvents
| where DeviceName contains "xxx"
| where AccountName contains "xxx"
| where 
    ProcessCommandLine contains "tasklist" or  
    ProcessCommandLine contains 'wmic'
| project AccountUpn, DeviceName, ProcessCommandLine

Produces the following output:

Note the output for ProcessCommandLine. Interestingly enough, changing the query to the following:

DeviceProcessEvents
| where DeviceName contains "xxx"
| where AccountName contains "xxx"
| where 
    ProcessCommandLine contains "tasklist" or  
    ProcessCommandLine contains 'wmic process get /format:list'
| project AccountUpn, DeviceName, ProcessCommandLine

Produces the following:

I'm not sure why this is? Is there something wrong with my syntax, or is this something that needs to be looked at? I've tried using has, contains, ==, and nothing seems to resolve it.

Thank you in advance!

Hi :)
I wish to get all the columns that will be projected as a result from the query (same way getschema works) is there an option to do so using the NuGet?

just to clarify, I wish to get all the columns even if there is no project statement,
Like:
amitTable
| take 1

should return all the columns in amitTable

Thanks in advance,
Amit

In the code below itellisense redlines the new column with the warning that it doesn't exist, but the code runs fine and the column clearly exists. See screenshot below.

let T = materialize (
    StormEvents
    | where State in~ ("Alaska","Arkansas","Hawaii")
    | summarize Events = count() by EventType, State
);
// state totals
T | summarize StateEvents = sum(Events) by State
// state/event totals
| join T on State
| project State, EventType, EventRatio = 1.0 * Events/StateEvents
// for some fun
| top-nested 3 of State by Dummy = max(1)
    , top-nested 4 of EventType with others = "Other" by EventRatio = sum(EventRatio)
| where isnotempty(State)
| project-away Dummy
| render piechart with (xcolumn=EventType,  ysplit=panels)

Summary

The union operator can rename output columns to resolve conflicts when inputs have mismatched types, but the library does not surface critical info about such renames, and it becomes impossible (except by rewriting substantial parts of the internal logic) to follow such column renames, since the new ColumnSymbol's have no relationship to the original.

Example of a not-so-trivial query where this takes place:

let a = datatable(a:long, a_string:string) [ 123, 'abc' ];
let b = datatable(a:string) [ '123' ] ;
a | union b

The resulting type is a TableSymbol (a_long: long, a_string: string, a_string1: string). The mapping between original columns and output columns is non-obvious, and it would be great if the Kusto library would make it easier to follow.

Proposal

Add a new property (perhaps ReferencedColumn or OriginalColumn) to ColumnSymbol that links to the original ColumnSymbol before the rename. Consumers wanting to find all uses of a symbol could then easily follow the chain of renames.

Motivation

This would enable better intellisense experiences (highlighting an occurrence of the output column could also highlight previous occurrences of the column across renames). It would also facilitate implementing the union operator (and likely other parts of the language) in baby-kusto.

This looks (at first glance at least) like an easy change to make, and perhaps only this piece of code would be impacted:

I would like to see this webhook working

I love the power of the KQL language. It's an absolute joy to use.
Are there any other products, platforms or open source services that support KQL?

ConfigurationChange
| where ConfigChangeType == "WindowsServices"
and SvcState == "Stopped"
and (
Computer has "NH-P2PAPP01.networkhg.org.uk"
or Computer has “NET-P2PLIVEAPP1.networkhg.org.uk"
or Computer has “NET-P2PTESTAPP.networkhg.org.uk”
)
and (
     SvcDisplayName == "Integra eSeries FINPROD"
    or SvcDisplayName  == "Integra SPC FINPROD” 
    or SvcDisplayName == "Integra UAS FINPROD"                   
    or SvcDisplayName  == "Integra eSeries FINDEV"
    or SvcDisplayName  == "Integra SPC FINDEV"
    or SvcDisplayName  == "Integra UAS FINDEV"
    or SvcDisplayName  == "Integra eSeries Duet"
    or SvcDisplayName  ==  “Integra eSeries SPTDEV"
    or SvcDisplayName  == "Integra eSeries FINARCH"
)

My other query is working with similar format, expect this one is being added as a custom query, I can find anything wrong

The request had some invalid properties , it keeps on saying that.

The following code runs fine, but intellisense redlines the kind keyword.

StormEvents
| top-nested 5 of EventType by count()
| join StormEvents on EventType
| summarize count() by EventType, monthofyear(StartTime)
| render areachart kind = stacked100

Hey,
I saw in the examples that it is possible to add functions to the analyzer, so that it will take them into account when analyzing the query.
The example that is shown there is of a function without parameters:

new FunctionSymbol("TallShapes", "{ Shapes | where width < height; }")

I was wondering if it is possible to show an example of using a function with parameters?

Ideally I will supply a function name, the parameters that it expects to get, and the schema of the result, and the analyzer would take this information into account.

Thanks!

Below statements would not produce the expected time chart:

let data=datatable(timestamp:datetime, statuscode: int, metric: real)
[
  datetime(2016-12-31T06:00), 200, 50,
  datetime(2017-01-01), 200, 4,
  datetime(2017-01-02), 200, 3,
  datetime(2017-01-03), 200, 4,
  datetime(2017-01-03T03:00), 200, 6,
  datetime(2017-01-05), 200, 8,
  datetime(2017-01-05T13:40), 200, 13,
  datetime(2017-01-06), 200, 4,
  datetime(2017-01-07), 200, 3,
  datetime(2017-01-08), 200, 8,
  datetime(2017-01-08T21:00), 200, 8,
  datetime(2017-01-09), 200, 2,
  datetime(2017-01-09T12:00), 200, 11,
  datetime(2017-01-10T05:00), 200, 5,
  datetime(2016-12-31T06:00), 202, 5,
  datetime(2017-01-01), 202, 14,
  datetime(2017-01-02), 202, 13,
  datetime(2017-01-03), 202, 41,
  datetime(2017-01-03T03:00), 201, 16,
  datetime(2017-01-05), 201, 18,
  datetime(2017-01-05T13:40), 500, 16,
  datetime(2017-01-06), 204, 14,
  datetime(2017-01-07), 206, 23,
  datetime(2017-01-08), 400, 18,
  datetime(2017-01-08T21:00), 500, 28,
  datetime(2017-01-09), 500, 12,
  datetime(2017-01-09T12:00), 400, 111,
  datetime(2017-01-10T05:00), 500, 25,
];
let interval = 1d;
let stime = datetime(2017-01-01);
let etime = datetime(2017-01-10);

data
| make-series Count=sum(metric) default=0 on timestamp from stime to etime step interval by statuscode
| render timechart;

However if we changed the chart render statement to:

data
| make-series Count=sum(metric) default=0 on timestamp from stime to etime step interval by tostring(statuscode)
| render timechart;

The result looks as expected

Class Operators should be public to be consistent with class Functions that is already public:

This would be useful e.g. in https://github.com/microsofthackathons/baby-kusto-csharp to match Kusto operators to specific implementations, using the OperatorSymbol as the key to match on.

Example webpage: https://docs.microsoft.com/en-us/azure/kusto/query/

The text under the Overview header currently links to

https://github.com/MicrosoftDocs/Kusto/blob/live/docs/query/index.md

when it should be

https://github.com/microsoft/Kusto-Query-Language/blob/master/doc/index.md.

This applies to other pages as well.

Hey,
We are using the kusto.language nuget (version 9.2.0), and we noticed that the function has_any_ipv4() is not supported.

Trying to upgrade to latest version did not solve the issue.

We use this nuget to validate queries, and it tells our customers that their queries are invalid when they are using this function.

I would like to be able to pass in a string variable as the ConnectionString to the externaldata operator.

externaldata ( ColumnName : ColumnType [, ...] )
[ StorageConnectionString [, ...] ] <--- To this value right here
[with ( PropertyName = PropertyValue [, ...] )]

The documentation only shows that it must be a static, hardcoded value enclosed in quotes, like this example from the documentation:
Users | where UserID in ((externaldata (UserID:string) [ @"https://storageaccount.blob.core.windows.net/storagecontainer/users.txt" h@"?...SAS..." // Secret token needed to access the blob ])) | ...

This query would throw an exception. Is there any "tricks" to execute queries such as this one?
let my_url_variable = "www.example.com" Users | where UserID in ((externaldata (UserID:string) [ my_url_variable ])) | ...

Based in the manual this metric must be AVG Link

AzureMetrics   
| where ResourceProvider == 'MICROSOFT.DATAFACTORY'
| where Resource == 'xxx'
| where MetricName  ==  'IntegrationRuntimeAvailableMemory' 
| project TimeGenerated, Average
| order by TimeGenerated asc
| render timechart

But I suspect that is not true:

If I write data into a column which is data type dynamic, fields which match to uuid format are converted to lower case automatically.

if I parse a string with extractjson I get the uuid in upper case:

print('{"uuid":"6F77A167-8B36-49BB-8846-497B7F1BE1BF"}')
| extend uuid = extractjson("$.uuid", print_0)

// result: 6F77A167-8B36-49BB-8846-497B7F1BE1BF

but in case of using type dynamic or parse_json the conversion to lower case happens:

print('{"uuid":"6F77A167-8B36-49BB-8846-497B7F1BE1BF"}')
| extend uuid = parse_json(print_0)

// result: {"uuid":"6f77a167-8b36-49bb-8846-497b7f1be1bf"}

print('{"uuid":"6F77A167-8B36-49BB-8846-497B7F1BE1BF"}')
| extend uuid = todynamic(print_0)

// result: {"uuid":"6f77a167-8b36-49bb-8846-497b7f1be1bf"}

Can you please give an indication if this is intended behaviour? From my point of view there is no need to convert uuids to lower case by default, is there a drawback when keeping the case sensitivity?

In my case the system which is used relies on the case sensitive data and cannot change this short term.

Is there a way to use json objects (not only single field values) in ADX without getting all the uuids converted to lower case?

Thanks!

Intellisense redlines this function call stating that the series_decompose function expects 4 arguments, but the code runs fine and documentation provides for up to 5 arguments:

Syntax

series_decompose(Series [, Seasonality, Trend, Test_points, Seasonality_threshold])

In KQL, there are multiple aggregation methods available like series_fill_forward, series_fill_backward, etc... These functions work on a series, so in most of the cases, you need to define the series first via make-series.
make-series allows you to fill in the gaps via the default argument. As far as I know, the value that is passed as 'default' must be a const.

It would be nice if we could combine the 'interpolation' with the make-series function, so that it is allowed to do something like this:

make-series myseries = max(value) default=fill_previous on timestamp .... 

I am using KQL language under log analytics workspace (Azure monitoring)

Perf
| where ObjectName == "LogicalDisk" and CounterName == "% Free Space" and Computer != "net-fs3.networkhg.org.uk" and Computer != "NET-FS1.networkhg.org.uk" and Computer != "NET-SQL3.networkhg.org.uk" and Computer != "NET-EDMLIVEDB1.networkhg.org.uk" and Computer != "NET-EDM_KOFAX1.networkhg.org.uk"
| summarize Free_Space = min(CounterValue) by Computer, InstanceName
| where strlen(InstanceName) == 2 and InstanceName contains ":" and Computer != "NET-REPAIR2.networkhg.org.uk" and InstanceName !contains ":E" and Computer != "NH-E2016-01.networkhg.org.uk" and InstanceName !contains ":E" and Computer != "NH-E2016-02.networkhg.org.uk" and InstanceName !contains ":E" and Computer != "net-boxi1.networkhg.org.uk" and InstanceName !contains ":D"
| where Free_Space < 10

Can you please help me with this query, I want to make sure that, only one of instance of the computer is being monitored instead of all, for example

In this instance I want that computer to avoid D drive instead of all drives, like I have specified in the query for all the computers, as I want other drives to be monitored.
Computer != "net-boxi1.networkhg.org.uk" and InstanceName !contains ":D"

Not to be confused with "funnel step" or "sequence step", phrases used elsewhere in the same page of documentation, "Step" or "window" has a large impact on the results returned by the function. Under the hood it appears that the function may be binning the TimelineColumn but exactly how and why that bin impacts which records are counted is unclear. For example does this mean that records are only counted when they map to the same bin regardless of the array passed as MaxSequenceStepWindows? Should I just always select the largest bin to get one funnel per sequence step window? Why is the sum of funnel sequence step counts binned with a window of 1d so different than that of a single large window of say 365d?

There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request

Hello! I have a quick question regarding a rather new plugin that was introduced, the sequence_detect plugin.

I came across the documentation regarding the plugin, but when attempting to write a query using this plugin, I receive the following error: 'The plug-in function sequence_detect is not defined.'

I've also noticed that the sequence_detect plugin is not included in PlugIns.cs. Is this plugin not yet supported?

Thanks in advance for any help or feedback!

Azure Monitor has workspace and adx keywords for cross-resource KQL queries which does not seem to be handled by Kusto-Query-Language:

• Analysis succeeds:

SecurityAlert | extend ExtendedProperties = parse_json(ExtendedProperties)

• Analysis fails:

workspace('e7a8b8c9-5a5e-44a3-afc2-7885fc6f8b00').SecurityAlert | extend ExtendedProperties = parse_json(ExtendedProperties)

Error:

{
    "Code": "KS107",
    "Category": "General",
    "Severity": "Error",
    "Description": "A value of type 'string' expected.",
    "Message": "A value of type 'string' expected.",
    "HasLocation": true,
    "Start": 105,
    "Length": 18,
    "End": 123
}

• Analysis fails:

adx('https://help.kusto.windows.net/Samples').SecurityAlert | extend ExtendedProperties = parse_json(ExtendedProperties)

Error:

{
    "Code": "KS107",
    "Category": "General",
    "Severity": "Error",
    "Description": "A value of type 'string' expected.",
    "Message": "A value of type 'string' expected.",
    "HasLocation": true,
    "Start": 101,
    "Length": 18,
    "End": 119
}

Doc: https://docs.microsoft.com/en-us/azure/azure-monitor/logs/cross-workspace-query

Code:

var query = "workspace('e7a8b8c9-5a5e-44a3-afc2-7885fc6f8b00').SecurityAlert | extend ExtendedProperties = parse_json(ExtendedProperties)";

var globals = GlobalState.Default
        .WithCluster(new ClusterSymbol("mycluster.kusto.windows.net"))
        .WithDatabase(new DatabaseSymbol("MyDatabase"));

var parse = KustoCode.Parse(query, globals);

var parseErrors = parse.GetDiagnostics();
if (parseErrors.Count > 0)
{
    throw new ApplicationException($"KQL query parsing error: {JsonSerializer.Serialize(parseErrors)}");
}

parse = parse.Analyze(globals);

var analysisErrors = parse.GetDiagnostics()
    // Ignore expected errors
    .Where(
        d =>
            d.Code != "KS204" && // "The name '{name}' does not refer to any known table, tabular variable or function."
            d.Code != "KS142" && // "The name '{name}' does not refer to any known column, table, variable or function."
            d.Code != "KS143"    // "The function '{name}' is not defined."
        ).ToList();
if (analysisErrors.Count > 0)
{
    throw new ApplicationException($"KQL query analysis error: {JsonSerializer.Serialize(analysisErrors)}");
}

Kusto allows certain special characters in entity names, such as -, _ and .. When using these names in queries you need to escape them, according to the Kusto Entity name documentation.

Unfortunately, if you are not aware that these need to be escaped, and use them in queries, the error message you get just says 'Syntax error', and doesn't lead you towards solving the problem. It would be better if the error message provided more guidance.

To reproduce

I have been setting up Azure Data Explorer to show data in Grafana, using the Visualize data from Azure Data Explorer in Grafana guide. I am using my own database and table names, and my database is called iotea-scales.

There is a set to set up Azure Active Directory, and you run this query:

.add database {TestDatabase} viewers ('aadapp={ApplicationID};{TenantID}')

I adjusted this for my database, giving the following:

.add database iotea-scales viewers ('aadapp=<appId>;<tenantId>')

When running this, I get this error:

The syntax error is not described, it is just shown as a syntax error.

Expected

The syntax error should be more descriptive, helping to find and fix the issue.

Based on the structure of the query, the text between spaces after .add database should be a database name, so is it possible for the parser to know this, and guide the user to escape the name if it contains special characters?

The following code has an item redlined but the query runs without errors.

datatable (Item:string, Condition:string, Value:int) 
    [
        "apples","fresh",50, 
        "apples","dry",50, 
        "oranges","fresh",20, 
        "bananas","fresh",30
    ]
| top-nested 1 of Item by sum(Value), top-nested 100 of Value by TotalValue = sum(Value)
| project Item, TotalValue

May be related to issue #5

Can we have the .sln file added for the project under src folder.

It'd be nice if we can have the .sln file added as we can open up the code straight away on Visual Studio (developing and debugging C# projects is much better on VS).

Can you please help me with kusto query to get http errors of 4xx and 5xx with custom date and time

Intellisense redlines itemindex column name downstream if it is separated by whitespace from the expression at definition, see screenshots.

datatable(BoxID:int, Fruit:string) [42, 'Apple,Orange,Banana']
| mv-expand with_itemindex = Index Content = split(Fruit,',')
| project BoxID, Content, Index

Feature ask

There is no way (that I could find) to determine the Signature that was bound for a function call or operator.
Right now I am having to replicate large amounts of code from Binder_FunctionCalls.cs (the entirety of GetBestMatchingSignatures and friends).

Specifically, it would help if the SemanticInfo would somehow include the signatures that were selected.

Motivation

This would help produce better dev experiences knowing the signature that matched a given call-site or operator. It would also help projects like https://github.com/microsofthackathons/baby-kusto-csharp implementing a self-contained Kusto engine that has to figure out what overload of a function to invoke.

Hi there, I am unable to find Information regarding algorithms used to implement series_decompose() and series_decompose_forecast(). Further, I read the book mentioned in series_decompose() regarding information and I believe its one of X11, SEATS or STL. Please tell me what was used and later what algorithm is being used for forecasting that decomposed parameters out of time series?

I've got exception while executing this:

customEvents
| where name == "algorithm.comparison.substitution" 
| project samples = parse_json(tostring(customDimensions["payload.samples"]))
| extend b = samples.bulk
| extend r = samples.rowByRow
| extend bulk_stats = series_stats_dynamic(b)
| extend rowByRow_stats = series_stats_dynamic(r)
| extend series_decompose(b, 0, 'linefit')

where customDimensions["payload.samples"]) looks like that
{"bulk":[48.8009,53.8592,...],"rowByRow":[66.3999,64.3826,...]}

The query was aborted by the server.
Details: Partial query failure: 0x80131620 (message: 'An exception has been thrown when reading the stream.: ', details: 'Source: System.ServiceModel
System.IO.IOException: An exception has been thrown when reading the stream. ---> System.ServiceModel.CommunicationException: The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '01:00:00'. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
at System.ServiceModel.Channels.SocketConnection.ReadCore(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout, Boolean closing)
--- End of inner exception stack trace ---
at System.ServiceModel.Channels.SocketConnection.ReadCore(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout, Boolean closing)
at System.ServiceModel.Channels.SocketConnection.Read(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout)
at System.ServiceModel.Channels.DelegatingConnection.Read(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout)
at System.ServiceModel.Channels.SingletonConnectionReader.SingletonInputConnectionStream.ReadCore(Byte[] buffer, Int32 offset, Int32 count)
at System.ServiceModel.Channels.SingletonConnectionReader.SingletonInputConnectionStream.Read(Byte[] buffer, Int32 offset, Int32 count)
at System.IO.Stream.ReadByte()
at System.ServiceModel.Channels.MaxMessageSizeStream.ReadByte()
at System.Xml.XmlBufferReader.TryEnsureByte()
at System.Xml.XmlBinaryReader.ReadNode()
at System.Xml.XmlBaseReader.MoveToContent()
at System.ServiceModel.Dispatcher.StreamFormatter.MessageBodyStream.Read(Byte[] buffer, Int32 offset, Int32 count)
--- End of inner exception stack trace ---
at System.ServiceModel.Dispatcher.StreamFormatter.MessageBodyStream.Read(Byte[] buffer, Int32 offset, Int32 count)
at Kusto.Cloud.Platform.Utils.StreamChainBase.Read(Byte[] buffer, Int32 offset, Int32 count) in C:\source\Src\Common\Kusto.Cloud.Platform\IO\StreamChainBase.cs:line 250
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Kusto.Cloud.Platform.Utils.StreamChainBase.Read(Byte[] buffer, Int32 offset, Int32 count) in C:\source\Src\Common\Kusto.Cloud.Platform\IO\StreamChainBase.cs:line 260
at Kusto.DataNode.Interop.StreamSource.Read(IntPtr buf, Int32 cb) in C:\source\Src\Engine\DataNode\ExtentService\Interop\Streams.cs:line 61')
Request id: 2b3b4217-d75b-4014-beae-12376ea08f01
Need Help?
Recommendations on writing efficient log queries.

Hi team, I hope to unit test my KQL queries.

Do we have something like KQL engine to parse the query and simulate in a memory database?

For example, I have a query like data | project name. I can provide mock data like [{name:"hello", age: 1}], how can I get the computed result [{name:"hello"}] without running in Kusto Cluster?

Thanks

Hello, in our team we use single script file for multiple ingest commands like

.set-or-replace A <| Cook_A()

.set-or-replace B <| Cook_B()

This file however cannot be parsed correctly even if the commands are ended by a semicolon.

.set-or-replace A <| Cook_A();

.set-or-replace B <| Cook_B();

I think the culprit is in CommandGrammar.cs:172

var commandBlock =
    Rule(
        SeparatedList(
            commandStatement, // first one is a command statement
            SyntaxKind.SemicolonToken,
            q.Statement,      // all others elements are query statements               <- ##### when this line is deleted the second case works but still the first one won't
            MissingCommandStatementNode,
            endOfList: EndOfText,
            oneOrMore: true,
            allowTrailingSeparator: true),
        Optional(skippedTokens), // consumes all remaining tokens (no diagnostic)
        Optional(Token(SyntaxKind.EndOfTextToken)),
        (cmd, skipped, end) =>
            new CommandBlock(cmd, skipped, end));

return new CommandGrammar(commandBlock);

ConfigurationChange
| where ConfigChangeType == "WindowsServices"
and SvcState == "Stopped"
and (
Computer has "NET-SQL2.networkhg.org.uk"
or Computer has "NET-SQL3.networkhg.org.uk"
or Computer has "NET-GISSQL1.networkhg.org.uk"
or Computer has "NET-CALSQL.networkhg.org.uk"
)
and (
SvcDisplayName == "SQL Full-text Filter Daemon Launcher (TEST)"
or SvcDisplayName == "SQL Full-text Filter Daemon Launcher (MSSQLSERVER)"
or SvcDisplayName == "SQL Full-text Filter Daemon Launcher (SQLEXPRESS)"
or SvcDisplayName == " SQL Server (MSSQLSERVER)"
or SvcDisplayName == "SQL Server (Test) "
or SvcDisplayName == "SQL Server Agent (MSSQLSERVER)"
or SvcDisplayName == "SQL Server Agent (Test)"
or SvcDisplayName == "SQL Server Browser"
or SvcDisplayName == "SQL Server Integration Services 10.0"
or SvcDisplayName == "SQL Full-text Filter Daemon Launcher (FIDO)"
or SvcDisplayName == "SQL Full-text Filter Daemon Launcher (SUN)"
or SvcDisplayName == "SQL Server (FIDO)"
or SvcDisplayName == "SQL Server (SUN)"
or SvcDisplayName == "SQL Server Agent (FIDO)"
or SvcDisplayName == "SQL Server VSS Writer"
or SvcDisplayName == " SQL Server Integration Services 11.0"
or SvcDisplayName == "SQL Server Reporting Services (MSSQLSERVER)"
or SvcDisplayName == "SQL Server Reporting Services (SQLEXPRESS)"
or SvcDisplayName == "SQL Server Analysis Services (MSSQLSERVER)"
)

Question to ask, if one of the service gets stopped in any of the server mentioned above, will I get an email with regards to that server or all the servers will be listed

test another one

It seems like the bin function declaration is incorrect since it declares ReturnTypeKind.Parameter0 and this doesn't match actual Kusto behavior.

Trivial example:

print v = bin(10, 1.5)

Kusto.Language analysis of this query claims the result type is (v:long), but real Kusto produces (v:real).

Same issue, slightly more complex example

In this case, the implications are more significant:

print v=bin(5, 0.8)
| union (print v=1234.5)

Kusto.Language analysis of this query claims the result type is (v_long: long, v_real: real), but real Kusto produces (v:real).

More info

Tested with Microsoft.Azure.Kusto.Language version 10.0.1. Used App Insights to verify Kusto behavior in case this is relevant.

All four geospatial functions (as documented here) are redlined by intellisense, even though queries run fine.

just testing the notifications

In the code below Intellisense marks hash() functions with red underline, but the query works fine.

StormEvents
| extend ComboHash = hash_combine(hash(State), hash(EventType))
| project ComboHash, State, EventType
| take 100