kql for powershell developers: part 1: Filtering

kql for powershell developers: part 1: Filtering

Today, KQL is used in more and more products. Let me bring it closer to those of you who are successfully using PowerShell for everyday work today. As you will see, there is a lot of similarities, so KQL is not so challenging as it looks.

Let’s assume we’ve got input data in the similar “form” for both KQL and PowerShell. All examples will be provided in KQL first and after that in PowerShell.

Today, we’ll start with data filtering:

Heartbeat
| where TimeGenerated >= ago(1d)
$Heartbeat | `
Where-Object {$_.TimeGenerated -ge $(Get-Date).AddDays(-1)}

Combined filters, option #1:

Perf
| where TimeGenerated >= ago(1d) and CounterName == "Bytes Received/sec"
$Perf | `
Where-Object {
$_.TimeGenerated -ge $(Get-Date).AddDays(-1) -and $_.CounterName -eq 'Bytes Received/sec'
}

Combined filters, option #2:

Perf
| where TimeGenerated >= ago(1d)
| where CounterName == "Bytes Received/sec"
$Perf | `
Where-Object {$_.TimeGenerated -ge $(Get-Date).AddDays(-1)} | `
Where-Object {$_.CounterName -eq 'Bytes Received/sec'}

That’s all for today, happy KQLing 😉