New Blog Post | Must Learn KQL Part 19: The Join Operator

%3CLINGO-SUB%20id%3D%22%5C%26quot%3Blingo-sub-3165108%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3ENew%20Blog%20Post%20%7C%20Must%20Learn%20KQL%20Part%2019%3A%20The%20Join%20Operator%26lt%3B%5C%2Flingo-sub%26gt%3B%3CLINGO-BODY%20id%3D%22%5C%26quot%3Blingo-body-3165108%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F348172i08E6DAD3DEAC2956%2Fimage-dimensions%2F640x320%3Fv%3Dv2%5C%26quot%3B%22%20width%3D%22%5C%26quot%3B640%5C%26quot%3B%22%20height%3D%22%5C%26quot%3B320%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22AshleyMartin_0-1644873533478.png%22%20alt%3D%22%5C%26quot%3BAshleyMartin_0-1644873533478.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fazurecloudai.blog%2F2022%2F02%2F14%2Fmust-learn-kql-part-19-the-join-operator%2F%3FWT.mc_id%3Dmodinfra-0000-rotrent%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20nofollow%3D%22%22%20noreferrer%3D%22%22%3EMust%20Learn%20KQL%20Part%2019%3A%20The%20Join%20Operator%20%E2%80%93%20Azure%20Cloud%20%26amp%3B%20AI%20Domain%20Blog%20(azurecloudai.blog)%26lt%3B%5C%2FA%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FA%3E%3C%2FP%3E%3CP%20class%3D%22%5C%26quot%3Bhas-medium-font-size%5C%26quot%3B%22%3EAs%20noted%20in%3CSPAN%3E%26nbsp%3B%26lt%3B%5C%2FSPAN%26gt%3B%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fcda.ms%2F3Rf%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoreferrer%20nofollow%20noopener%20noreferrer%22%20noopener%3D%22%22%20nofollow%3D%22%22%3Epart%2Fchapter%2018%26lt%3B%5C%2FA%26gt%3B%2C%20this%20mini-series%20on%20merging%20data%20contains%20two%20different%20principles.%20Reiterated%20from%20the%20last%20part%2Fchapter%E2%80%A6%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22%5C%26quot%3Bhas-medium-font-size%5C%26quot%3B%22%3E%3CEM%20style%3D%22%5C%26quot%3Bfont-family%3A%22%20inherit%3D%22%22%3E%3CSTRONG%3EUnion%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FEM%26gt%3B%3CSPAN%20style%3D%22%5C%26quot%3Bfont-family%3A%22%20inherit%3D%22%22%3E%26nbsp%3Ballows%20you%20to%20take%20the%20data%20from%20two%20or%20more%20tables%20and%20display%20the%20results%20(all%20rows%20from%20all%20tables)%20together.%26nbsp%3B%26lt%3B%5C%2FSPAN%26gt%3B%3CEM%20style%3D%22%5C%26quot%3Bfont-family%3A%22%20inherit%3D%22%22%3E%3CSTRONG%3EJoin%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FEM%26gt%3B%3CSPAN%20style%3D%22%5C%26quot%3Bfont-family%3A%22%20inherit%3D%22%22%3E%2C%20on%20the%20other%20hand%2C%20is%20intended%20to%20produce%20more%20specific%20results%20by%20joining%20rows%20of%20just%20two%20tables%20through%20matching%20the%20values%20of%20columns%20you%20specify.%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%3CP%20class%3D%22%5C%26quot%3Bhas-medium-font-size%5C%26quot%3B%22%3EThere%E2%80%99s%20quite%20a%20bit%20more%20to%20the%3CSPAN%3E%26nbsp%3B%26lt%3B%5C%2FSPAN%26gt%3B%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fcda.ms%2F3Rg%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20noreferrer%3D%22%22%20nofollow%3D%22%22%3EJoin%20operator%26lt%3B%5C%2FA%26gt%3B%3CSPAN%3E%26nbsp%3B%26lt%3B%5C%2FSPAN%26gt%3B(and%20Join%2C%20in%20general)%20than%20I%E2%80%99ll%20cover%20in%20this%20part%2Fchapter.%20I%20want%20to%20make%20sure%20to%20keep%20this%20focused%20on%20those%20things%20necessary%20to%20help%20build%20your%20first%20Microsoft%20Sentinel%20Analytics%20Rule%20in%20the%20final%20part%2Fchapter%20of%20this%20series.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22%5C%26quot%3Bhas-medium-font-size%5C%26quot%3B%22%3EJoin%2C%20merges%20the%20rows%20of%20two%20tables%20(left%20table%20and%20right%20table)%20to%20form%20a%20new%20pseudo-table%20by%20matching%20values%20of%20the%20specified%20column(s)%20from%20each%20table.%20Just%20like%20any%20other%20query%20language%E2%80%99s%20Join%2C%20the%20KQL%20Join%20operator%20supports%20the%20following%20Join%20methods%20along%20with%20some%20additional%20nuanced%20options%20%E2%80%93%3CSPAN%3E%26nbsp%3B%26lt%3B%5C%2FSPAN%26gt%3B%3CEM%3Ewith%20inner%20Join%20being%20the%20default%26lt%3B%5C%2FEM%26gt%3B.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FEM%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%26lt%3B%5C%2Flingo-body%26gt%3B%3CLINGO-LABS%20id%3D%22%5C%26quot%3Blingo-labs-3165108%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3E%3CLINGO-LABEL%3ECloud%20Security%26lt%3B%5C%2Flingo-label%26gt%3B%3CLINGO-LABEL%3EMicrosoft%20Sentinel%26lt%3B%5C%2Flingo-label%26gt%3B%26lt%3B%5C%2Flingo-labs%26gt%3B%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3C%2FLINGO-SUB%3E
Microsoft

AshleyMartin_0-1644873533478.png

Must Learn KQL Part 19: The Join Operator – Azure Cloud & AI Domain Blog (azurecloudai.blog)

As noted in part/chapter 18, this mini-series on merging data contains two different principles. Reiterated from the last part/chapter…

Union allows you to take the data from two or more tables and display the results (all rows from all tables) together. Join, on the other hand, is intended to produce more specific results by joining rows of just two tables through matching the values of columns you specify.

There’s quite a bit more to the Join operator (and Join, in general) than I’ll cover in this part/chapter. I want to make sure to keep this focused on those things necessary to help build your first Microsoft Sentinel Analytics Rule in the final part/chapter of this series.

Join, merges the rows of two tables (left table and right table) to form a new pseudo-table by matching values of the specified column(s) from each table. Just like any other query language’s Join, the KQL Join operator supports the following Join methods along with some additional nuanced options – with inner Join being the default.

 

0 Replies