GitHubContribute in GitHub: Edit online

Tabular expression statements

The tabular expression statement is what people usually have in mind when they talk about queries. This statement usually appears last in the statement list, and both its input and its output consists of tables or tabular data sets. Any two statements must be separated by a semicolon.

Data Explorer uses a data flow model for the tabular expression statement. A tabular expression statement is generally composed of tabular data sources such as Data Explorer tables, tabular data operators such as filters and projections, and optional rendering operators. The composition is represented by the pipe character (|), giving the statement a very regular form that visually represents the flow of tabular data from left to right. Each operator accepts a tabular data set "from the pipe", and other inputs including more tabular data sets from the body of the operator, then emits a tabular data set to the next operator that follows.

Syntax

Source | Operator1 | Operator2 | RenderInstruction

  • Source - tabular data sources such as Data Explorer tables
  • Operator - tabular data operators such as filters and projections
  • RenderInstruction - rendering operators or instructions

Tabular data sources

A tabular data source produces sets of records, to be further processed by tabular data operators. Data Explorer supports several of these sources:

  • Table references (which refer to a table, in the context database)
  • An invocation of a function that returns a table.

Example

In the following example, the events table is used to produce records to the where operator

events 
    | where original_time > ago(1d)
    | where user_id == 'user'