Welcome to the second blog post in the series becoming a Kusto Knight. While the previous blog post was more about what Kusto Query Language is, and about entities, today’s blog post will be about clusters, databases, tables, and columns.
Clusters are the largest form in Kusto. A Kusto cluster can host one or more databases. While databases are hosted on a cluster, they do have their own Role-Based Access Control, to manage the permissions. A database can host the following items:
- Stored functions
- External tables
Tables contain the data which we can query with the Kusto Query Language and follow the same rules as entities. Clusters, databases, and tables are called like in the screenshot below.
Each table contains at least one column which has a scalar data type.
Stored functions are user-defined, reusable queries, or reusable query parts and are stored in a Kusto database.
Besides stored functions, there are also query-defined functions which defined and used within the scope of a single query.
The third type of function are the built-in functions, users cannot edit these. An example of this can be the _GetWatchlist function in Azure Sentinel.
While we can declare external tables in a database, we will only store the reference to the data. This way the data can be managed and modified on the external source.
All items follow the same rules as entity types, but they do have different limits. There can be 10000, databases, tables, and columns. For external tables, the current limit is set to 1000.
Now that we know where data is stored and that the columns have their scalar data type it is an appropriate time to discover which scalar data types are available. You can read this in the next blog post.