top of page
Search

Kusto KQL - Part 3D - Operators

  • brencronin
  • 5 hours ago
  • 2 min read

KQL Numeric and Comparison Operators


KQL provides a standard set of arithmetic and comparison operators used for calculations and filtering:


Arithmetic Operators (return numeric values)

+   Addition
-   Subtraction
*   Multiplication
/   Division
%   Modulo (remainder)

These are commonly used for:


  • Rate calculations (e.g., bytes/sec)

  • Data normalization

  • Threshold comparisons


Comparison & Membership Operators (return boolean values)

>   Greater than
<   Less than
>=  Greater than or equal
<=  Less than or equal
==  Equal
!=  Not equal
in  Matches any value in a set
!in Not in a set

These are primarily used in:


  • where filters

  • Conditional logic (count_if, case, etc.)

  • Data reduction for performance optimization


Key Behavior: Integer Division Truncation


In KQL, dividing two integers (or long values) results in integer truncation, meaning the decimal portion is discarded.


This can introduce precision loss, especially in:


  • Ratio calculations

  • Baseline comparisons

  • Anomaly detection logic


Example (truncated result)

SentBytes / ReceivedBytes

Preserving Precision with Floating-Point Math


To retain decimal precision, ensure at least one operand is a real (double):


Option 1: Use a real literal

SentBytes / 1024000.0

Option 2: Cast using toreal()

SentBytes / toreal(ReceivedBytes)
toreal(SentBytes) / ReceivedBytes

Additional Practical Considerations


1. in / !in Efficiency


  • More efficient than chaining multiple or conditions:

where Account in ("admin", "svc_account", "backup_user")

2. Type Sensitivity


  • KQL is strongly typed:

    • Comparing string to int → fails or yields no results

    • Always ensure type alignment (use toint(), tostring(), etc.)


3. Null Handling


  • Comparisons with null return false

  • Use:

isnull(field)
isnotnull(field)

4. Case Sensitivity


  • == is case-sensitive

  • Use:

=~   (case-insensitive equal)
!~   (case-insensitive not equal)

5. Operator Use in Aggregations


Operators are frequently embedded in summarization logic:

| summarize HighTraffic = countif(SentBytes > 1000000)

Bottom Line


  • Use arithmetic operators for transformations and derived metrics

  • Use comparison operators to aggressively filter early (performance gain)

  • Always control data types to avoid silent logic errors

  • Explicitly use toreal() when precision matters


In practice, improper operator usage, especially around type handling and integer division, is one of the most common sources of subtle errors in KQL-based detections and analytics.

Recent Posts

See All

Comments

Post: Blog2_Post
  • Facebook
  • Twitter
  • LinkedIn

©2021 by croninity. Proudly created with Wix.com

bottom of page