Tabular Operators
Introduction to Tabular Operators Tabular operator overview and categories
Tabular operators transform an input table into an output table. In KQL, they are chained with the pipe (|) character — each operator receives the result of the previous step:
logs | where severity_number >= 17 | project timestamp, body, service | sort by timestamp desc | take 100 The first line (logs) is the dataset name. Each subsequent | applies an operator that filters, reshapes, or aggregates the data. For a full introduction to writing queries, see Writing Queries .
Operator Description search Full-text search across all string columns in the input table. tail Returns up to the specified number of most recent rows by $time descending. take Returns up to the specified number of rows from the input table. top Returns the top N rows sorted by the specified columns. trace-find Experimental : This operator is experimental and its semantics may change.where Filters rows based on a boolean predicate expression.
Operator Description extend Adds computed columns to the input table while keeping all existing columns. project Selects specific columns from the input and optionally computes new columns or renames existing ones. project-away Selects all columns from the input except the specified columns.
Operator Description count Returns the number of rows in the input table as a single row with a single column named Count. distinct Returns a table with the distinct combination of the provided columns of the input table. make-series Creates series of aggregated values along a specified axis, typically time-based. summarize Groups rows and calculates aggregate values over each group.
Operator Description sort Sorts the rows of the input table by one or more columns in ascending or descending order.
Operator Description join Merges rows of two tables by matching values of specified columns.
Operator Description parse Extracts structured data from a string column using a pattern with named captures. parse-where Extracts structured data from a string column and filters out rows where the pattern does not match.
Operator Description fieldstats Analyzes dynamic column values to discover field paths and their statistics, returning a table with AttributePath, Type, Cardinality, Frequency, Hint, and HintExhaustive columns. otel-log-stats Single-pass OTEL log exploration: discovers attributes and computes top values with severity breakdown (error/warn/info/debug counts).
Operator Description annotate Adds type annotations to dynamic columns, enabling forward-flow type inference and zero-copy access when runtime type matches annotation. fork Executes multiple independent pipelines from a single source, producing multiple result tables. getschema Returns a table with column names and types from the input table schema. invoke Invokes a tabular function with the piped input as the first (tabular) argument. mv-apply Applies a subquery to each record and returns the union of results. mv-expand Expands multi-value dynamic arrays or property bags into multiple rows, duplicating other columns. range Generates a single-column table of values in an arithmetic sequence. render Renders results using a specified visualization type. union Combines rows from two or more tables into a single result set.