Which is efficient query - project after where (or) where after project

%3CLINGO-SUB%20id%3D%22lingo-sub-999067%22%20slang%3D%22en-US%22%3EWhich%20is%20efficient%20query%20-%20project%20after%20where%20(or)%20where%20after%20project%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-999067%22%20slang%3D%22en-US%22%3E%3CP%3EI%20query%20log%20analytics%20table%20(which%20has%20huge%20number%20of%20records)%20from%20workbook%3C%2FP%3E%0A%3CP%3EThis%20table%20-%20Azure%20Diagnostics%20-%20will%20have%20columns%20from%20other%20Azure%20RP%20as%20well.%3CBR%20%2F%3E%3CBR%20%2F%3ETo%20make%20my%20query%20efficient%2C%20I%20looked%20at%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkusto%2Fquery%2Fbest-practices%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ekusto%20best%20practice%3C%2FA%3E%20and%20made%20query%20changes.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20I%20first%20fetch%20table%2C%20I%20always%20use%20time%20filter%20first.%20However%2C%20after%20first%20time%20filter%2C%20I%20am%20not%20sure%20If%20I%20have%20to%20subsequent%20'where'%20filters%20or%20narrow%20down%20the%20columns%20using%20'project'.%20The%20reason%20being%20AzureDiagnostics%20table%20tend%20to%20have%20lot%20more%20columns%20than%20what%20is%20ingested%20from%20my%20service%20and%20hence%20I%20need%20to%20narrow%20down.%3CBR%20%2F%3E%3CBR%20%2F%3EHence%20question%20is%26nbsp%3B%20after%20time%20filter%2C%20%3CBR%20%2F%3Eshould%20I%20use%20where%20filters%20after%20project%20(or)%20project%20after%20where%20filters.%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-999067%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1001343%22%20slang%3D%22en-US%22%3ERe%3A%20Which%20is%20efficient%20query%20-%20project%20after%20where%20(or)%20where%20after%20project%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1001343%22%20slang%3D%22en-US%22%3EProject%20then%20Where%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1007440%22%20slang%3D%22en-US%22%3ERe%3A%20Which%20is%20efficient%20query%20-%20project%20after%20where%20(or)%20where%20after%20project%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1007440%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F436985%22%20target%3D%22_blank%22%3E%40CLIVE_Watson%3C%2FA%3E%20for%20the%20response.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20best%20practice%20for%20LA%20query%20remains%20same%20as%20Kusto%3F%3C%2FP%3E%0A%3CP%3ESince%20LA%20is%20on%20top%20of%20Kusto%2C%20is%20there%20some%20layering%20over%20KQL%20which%20requires%20different%20set%20of%20rules%2Frecommendation%20for%20better%20optimization.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1008061%22%20slang%3D%22en-US%22%3ERe%3A%20Which%20is%20efficient%20query%20-%20project%20after%20where%20(or)%20where%20after%20project%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1008061%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F263110%22%20target%3D%22_blank%22%3E%40Vino55%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Fazure-monitor%2Flog-query%2Fquery-language%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Fazure-monitor%2Flog-query%2Fquery-language%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%22%3CEM%3EAzure%20Monitor%20logs%20are%20built%20on%20Azure%20Data%20Explorer%2C%20and%20Azure%20Monitor%20log%20queries%20use%20a%20version%20of%20the%20same%20Kusto%20query%20language.%20The%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkusto%2Fquery%22%20data-linktype%3D%22absolute-path%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EKusto%20query%20language%20documentation%3C%2FA%3E%26nbsp%3Bhas%20all%20of%20the%20details%20for%20the%20language%20and%20should%20be%20your%20primary%20resource%20for%20writing%20Azure%20Monitor%20log%20queries.%20This%20page%20provides%20links%20to%20other%20resources%20for%20learning%20how%20to%20write%20queries%20and%20on%20differences%20with%20the%20Azure%20Monitor%20implementation%20of%20the%20language.%3C%2FEM%3E%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Microsoft

I query log analytics table (which has huge number of records) from workbook

This table - Azure Diagnostics - will have columns from other Azure RP as well.

To make my query efficient, I looked at kusto best practice and made query changes.

 

When I first fetch table, I always use time filter first. However, after first time filter, I am not sure If I have to subsequent 'where' filters or narrow down the columns using 'project'. The reason being AzureDiagnostics table tend to have lot more columns than what is ingested from my service and hence I need to narrow down.

Hence question is  after time filter,
should I use where filters after project (or) project after where filters.?

3 Replies
Highlighted
Highlighted

Thanks @CLIVE_Watson for the response.

 

The best practice for LA query remains same as Kusto?

Since LA is on top of Kusto, is there some layering over KQL which requires different set of rules/recommendation for better optimization.

Highlighted

@Vino55 

 

https://docs.microsoft.com/en-gb/azure/azure-monitor/log-query/query-language

"Azure Monitor logs are built on Azure Data Explorer, and Azure Monitor log queries use a version of the same Kusto query language. The Kusto query language documentation has all of the details for the language and should be your primary resource for writing Azure Monitor log queries. This page provides links to other resources for learning how to write queries and on differences with the Azure Monitor implementation of the language."