KQL and SQL: A Comparison of Query Languages

Since Microsoft launched Kusto Query Language (KQL) and Azure Data Explorer (ADX) at the Microsoft Ignite Conference in 2018 (which was made generally available in February 2019), it has gained considerable traction within the market. More than ever before, analysts are paying attention to SQL.

It’s my understanding that most data professionals are familiar with SQL, but a fundamental difference regarding the query languages is that KQL is not designed for managing structured data in relational databases, whereas SQL is. KQL assumes a tabular data model of tables and columns with a minimal set of data types. Finally, KQL does not support defining relationships between tables or enforcing constraints on the data.

KQL is ideal when you want to perform fast and interactive analysis on large and diverse datasets, such as streaming data, structured data, semi-structured data, or unstructured data. KQL can handle complex queries that involve multiple data sources, joins, aggregations, filters, transformations, and more. Similarly, KQL can also integrate with various tools and platforms, such as Power BI, Azure Monitor, Azure Sentinel, Visual Studio Code, and Jupyter Notebooks.

The best part? KQL is open source and its GitHub is here.

How Do KQL and SQL Differ?

KQL and SQL are both query languages that can be used to retrieve data from databases or data sources. However, they have some key differences that make them suitable for different scenarios and use cases.

KQL is a powerful tool to explore your data and discover patterns, identify anomalies and outliers, create statistical modeling, and more. KQL is a read-only request to process data and return results, using a data-flow model that is easy to read, author, and automate. Lastly, KQL uses schema entities that are organized in a hierarchy like SQLs: databases, tables, and columns.

Therefore, KQL cannot be used to query structured and relational databases directly. However, KQL can be used to query data that is ingested from relational databases into Azure Data Explorer or Azure Synapse Analytics, if the data is formatted as tables and columns. This way, KQL can leverage the scalability and performance of these services to analyze large amounts of data from various sources.

With this fundamental difference in mind, let’s take a look at other major differences between KQL and SQL:

• KQL is designed for streaming data and real-time analytics, while SQL is mainly used for relational data and on-demand queries. KQL can process data as it arrives, without requiring a predefined schema or a fixed data model. SQL, on the other hand, relies on a predefined schema and a fixed data model, and is more suitable for querying data that is already stored and structured.
• KQL is a data-flow language, while SQL is a declarative language. KQL uses a data-flow model that consists of a series of operators that are applied to the input data, producing output data. KQL operators are similar to functions or methods in programming languages and can be chained together to form complex queries. SQL, on the other hand, uses a declarative model that specifies the desired result, without specifying how to achieve it. SQL relies on the underlying database engine to optimize and execute the query plan.
• KQL has a simpler and more intuitive syntax than SQL. KQL syntax is based on the pipe (|) symbol, which separates the operators and their arguments. KQL syntax is easy to read, write, and automate, and does not require cumbersome nesting or aliasing. SQL syntax, on the other hand, is based on keywords, clauses, and parentheses, which can make the queries more complex and verbose. SQL syntax also requires more nesting and aliasing, which can affect the readability and maintainability of the queries.

Here is an example of an SQL query to join sales and customer tables:

SELECT c.customer_name, s.order_id, s.order_date, s.order_amount

FROM customer c

INNER JOIN sales s

ON c.customer_id = s.customer_id;

// KQL query sample to join sales and customer tables:

sales

| join kind=inner customer on customer_id

| project customer_name, order_id, order_date, order_amount;

• KQL has more features and functions than SQL. KQL has a rich set of operators and functions that can perform various tasks, such as filtering, grouping, aggregating, joining, projecting, extending, sorting, ranking, pivoting, binning, clustering, anomaly detection, time series analysis, machine learning, and more. KQL also supports user-defined functions, plugins, and external data sources. SQL, on the other hand, has a limited set of features and functions, and depends on the specific database engine or platform for additional capabilities. SQL also does not support user-defined functions, plugins, or external data sources.

What Data Sources Can KQL Be Applied To?

KQL can be applied to a variety of data sources, types, size, and other features. Some of the data sources that can be queried with KQL are:

1. Azure Data Explorer (ADX): ADX is a fast and scalable data analytics service that can ingest, store, and query data from various sources, such as applications, websites, IoT devices, logs, metrics, and more. ADX supports both structured and unstructured data and can handle petabytes of data with high performance and availability. ADX is the primary data source for KQL and provides a fully integrated environment for data exploration and analysis.
2. Application Insights: Application Insights is a service that monitors the performance, availability, and usage of web applications and services. Application Insights collects telemetry data from the application, such as requests, exceptions, dependencies, traces, custom events, metrics, and more. Application Insights data can be queried with KQL to gain insights into the application’s health, performance, and user behavior.
3. Azure Monitor: Azure Monitor is a service that collects and analyzes data from various Azure resources, such as virtual machines, containers, databases, networks, and more. Azure Monitor data can be queried with KQL to monitor the status, performance, and availability of the Azure resources, and to troubleshoot issues and optimize operations.
4. Azure Sentinel: Azure Sentinel is a service that provides security information and event management (SIEM) and security orchestration, automation, and response (SOAR) capabilities for Azure and hybrid environments. Azure Sentinel collects data from various sources, such as Azure resources, Microsoft 365, third-party applications, and more. Azure Sentinel data can be queried with KQL to detect, investigate, and respond to security threats and incidents.
5. Azure Log Analytics: Azure Log Analytics is a service that collects and analyzes data from various sources, such as Azure resources, Windows and Linux servers, agents, and more. Azure Log Analytics data can be queried with KQL to perform log management, IT operations management, and security analytics.
6. Azure Storage: Azure Storage is a service that provides scalable and durable cloud storage for various types of data, such as blobs, files, queues, tables, and disks. Azure Storage data can be queried with KQL by using the Azure Storage Explorer tool, which allows browsing, uploading, downloading, and querying data from Azure Storage accounts.
7. Azure Event Hubs: Azure Event Hubs is a service that provides a scalable and reliable event ingestion and streaming platform for various types of data, such as telemetry, logs, metrics, and more. Azure Event Hubs data can be queried with KQL by using the Azure Data Explorer connector, which allows ingesting data from Azure Event Hubs into Azure Data Explorer clusters.
8. Azure Cosmos DB: Azure Cosmos DB is a service that provides a globally distributed and multi-model database for various types of data, such as key-value, document, graph, and more. Azure Cosmos DB data can be queried with KQL by using the Azure Data Explorer connector, which allows ingesting data from Azure Cosmos DB into Azure Data Explorer clusters.

These are only some of the data sources that can be queried with KQL, but not the only ones. KQL can also query data from other sources, such as CSV files, JSON files, REST APIs, and more, by using the “externaldata” operator, which allows importing data from external sources into KQL queries. KQL can also query data from multiple sources at once, by using the union operator, which allows combining data from different sources into a single result set. KQL can handle data of any type, size, and format, and can provide fast and interactive analysis on large and diverse datasets.

KQL can also be used in other platforms and tools, such as Power BI, Visual Studio Code, and Jupyter Notebooks:

• Power BI: Power BI can connect to Azure Data Explorer and use KQL to query and visualize data from various sources.
• Visual Studio Code: Visual Studio Code is a code editor that supports multiple programming languages and extensions. Visual Studio Code can use the Kusto extension to write and run KQL queries, and connect to Azure Data Explorer clusters and databases.
• Jupyter Notebooks: Jupyter Notebooks are interactive documents that can contain code, text, images, and more. Jupyter Notebooks can use the ‘Kqlmagic’ extension to write and run KQL queries, and connect to Azure Data Explorer and other data sources.

The post KQL and SQL: A Comparison of Query Languages appeared first on Dynamics Communities.