Where do we store the data in Kusto
By Gianni Castaldi
Welcome to the second blog post in the series becoming a Kusto Knight. While the previous blog post was more about what Kusto Query Language is, and about entities, todays blog post will be about clusters databases, tables and columns.
Clusters are the largest form in Kusto. A Kusto cluster can host one or more databases.
Databases are hosted on a cluster, they do have their own Role-Based Access Control, to manage the permissions. A database can host the following items:
- Stored functions
- External tables
Tables contain the data which we can query with the Kusto Query Language, and follow the same rules as entities. Clusters, databases and tables are can be called like in the screenshot below.
Each table contains at least 1 column which has a scalar data type.
Stored functions are user defined, reusable queries or reusable query parts and are stored in a Kusto database.
Besides stored functions there are also query-defined functions which defined and used within the scope of a single query.
The third type of functions are the built-in functions, these cannot be edited by users. An example of this can be the _GetWatchlist function in Azure Sentinel.
While we can declare external tables in a database, we will only store the reference to the data. This way the data can be managed and modified on the external source.
All items follow the same rules as entity types, but they do have different limits. There can be 10000, databases, tables, and columns.
For external tables the current limit is set to 1000.
Now that we know where data is stored and that the columns have their scalar data type it is an appropriate time to discover which scalar data types are available.
You can read more about this in the next blog post.
And for some exercises on data locations go to the Kusto Gym