## Downloaded from https://notebooks.azure.com/ManojRaheja/projects/KustoMagicSamples/html/Getting%20Started%20with%20kqlmagic%20on%20Azure%20Data%20Explorer.ipynb
# 1. Introduction

Jupyter supports magic functions that extends the capabilities of kernel by supporting  additional commands that are not natively supported by the kernel. 
kqlmagic helps you to extend the capabilities of Python kernel in Jupyter Notebook  and allows you to run Kusto Query Language queries natively. It supports Azure Data Explorer, Application Insights, and Log Analytics as data sources to run queries against.

This tutorial demonstrates some of the key capabilities of kqlmagic querying data from Azure Data Explorer. Please refer the following sample notebooks to learn all the available commands.

* [Get Started with Kqlmagic for Azure Data Explorer](https://mybinder.org/v2/gh/Microsoft/jupyter-Kqlmagic/master?filepath=notebooks%2FQuickStart.ipynb) 
* [Get Started with Kqlmagic for Application Insights](https://mybinder.org/v2/gh/Microsoft/jupyter-Kqlmagic/master?filepath=notebooks%2FQuickStartAI.ipynb) 
* [Get Started with Kqlmagic for Log Analytics](https://mybinder.org/v2/gh/Microsoft/jupyter-Kqlmagic/master?filepath=notebooks%2FQuickStartLA.ipynb) 
* [Parametrize your Kqlmagic query with Python](https://mybinder.org/v2/gh/Microsoft/jupyter-Kqlmagic/master?filepath=notebooks%2FParametrizeYourQuery.ipynb) 
* [Choose colors palette for your Kqlmagic query chart result](https://mybinder.org/v2/gh/Microsoft/jupyter-Kqlmagic/master?filepath=notebooks%2FColorYourCharts.ipynb) 


# 2. Prerequisite

### 2.1 Install kqlmagic library

In [None]:
!pip install Kqlmagic --no-cache-dir  --upgrade

### 2.2 Load kqlmagic

In [20]:
reload_ext Kqlmagic

## This section was edited by Taiob Ali

### October 25th 2020

### Added a new data source

### 2.3 Connect to the Azure Data Explorer Help cluster

Following command connect to the Samples database hosted on Help cluster. For non-Microsoft AAD users, please replace the tenant name “Microsoft.com” with your AAD Tenant.

First one is for following my demo code pointing to [https://aka.ms/LADemo](https://aka.ms/LADemo).

Second one is to run the codes in this notebook.

In [None]:
%kql loganalytics://workspace='DEMO_WORKSPACE';appkey='DEMO_KEY';alias='myworkspace'

In [None]:
%kql AzureDataExplorer://tenant="Microsoft.com";code;cluster='help';database='Samples'

# 3. Query and visualize
In this section we will look at how to query and visualize data using kql render command and visualize data using ploy.ly library. All with an integrated experience using native KQL [render operator.](https://docs.microsoft.com/azure/kusto/query/renderoperator) kqlmagic supports most charts except timepivot, pivotchart, and ladderchart and all render with attributes are supported except: kind, ysplit, and accumulate. 

### 3.1 Query and render piechart

In [None]:
%%kql 
StormEvents 
| summarize statecount=count() by State
| sort by statecount 
| limit 10
| render piechart title="My Pie Chart by State"

### 3.2 Query and render timechart

Here is another example of rendering timechart. These charts are interactive, try zooming in a specific time by selecting the time range.


In [None]:
%%kql
StormEvents
| summarize count() by bin(StartTime,7d)
| render timechart

# 4. Customize the chart colors
If you don’t like the default color plate, you can customize the charts by setting the palette options. Let’s look at all the palette available to us. To learn more, please refer this sample notebook: [Choose colors palette for your Kqlmagic query chart result](https://mybinder.org/v2/gh/Microsoft/jupyter-Kqlmagic/master?filepath=notebooks%2FColorYourCharts.ipynb)

In [None]:
%kql --palettes -popup_window

Let’s choose “cool” color palettes and render the query again.

In [None]:
%%kql -palette_name "cool"
StormEvents 
| summarize statecount=count() by State
| sort by statecount 
| limit 10
| render piechart title="My Pie Chart by State"

# 5\. Next steps

Run the help command to know more and explore the following sample notebooks that contains all the supported features.

-   [Get Started with Kqlmagic for Azure Data Explorer](https://mybinder.org/v2/gh/Microsoft/jupyter-Kqlmagic/master?filepath=notebooks%2FQuickStart.ipynb)
-   [Get Started with Kqlmagic for Application Insights](https://mybinder.org/v2/gh/Microsoft/jupyter-Kqlmagic/master?filepath=notebooks%2FQuickStartAI.ipynb)
-   [Get Started with Kqlmagic for Log Analytics](https://mybinder.org/v2/gh/Microsoft/jupyter-Kqlmagic/master?filepath=notebooks%2FQuickStartLA.ipynb)
-   [Parametrize your Kqlmagic query with Python](https://mybinder.org/v2/gh/Microsoft/jupyter-Kqlmagic/master?filepath=notebooks%2FParametrizeYourQuery.ipynb)
-   [Choose colors palette for your Kqlmagic query chart result](https://mybinder.org/v2/gh/Microsoft/jupyter-Kqlmagic/master?filepath=notebooks%2FColorYourCharts.ipynb)

In [None]:
%kql --help "help"

# 6\. How To Connect to Log Analytics Workspace

To understand details about the connection string I followed the document [Connecting to Log Analytics using Azure Data Studio and KQL](https://www.red-gate.com/simple-talk/blogs/connecting-log-analytics-using-azure-data-studio-kql/) by Dennes Torres

In [28]:
%kql loganalytics://tenant='d5b50601-6698-4f8f-beb6-1799fee4dc80';clientid='7b1fcde4-b8c5-479d-9896-5c767a19fe7a';clientsecret='f.4g9_kHqq1AU48M90T8kilP~_VsRnd9om';workspace='576e1cba-2d04-459e-b457-fe157e632dea';alias='Sqlalertdemo2'

### 6.1 Looking it top 10 collected metrics in last 24 hours

In [29]:
%%kql
AzureMetrics 
| where TimeGenerated > ago(24h) 
| limit 10

Unnamed: 0,TenantId,SourceSystem,TimeGenerated,ResourceId,OperationName,OperationVersion,Category,ResultType,ResultSignature,ResultDescription,DurationMs,CallerIpAddress,CorrelationId,Resource,ResourceGroup,ResourceProvider,SubscriptionId,MetricName,Total,Count,Maximum,Minimum,Average,TimeGrain,UnitName,RemoteIPCountry,RemoteIPLatitude,RemoteIPLongitude,MaliciousIP,IndicatorThreatType,Description,TLPLevel,Confidence,Severity,FirstReportedDateTime,LastReportedDateTime,IsActive,ReportReferenceLink,AdditionalInformation,Type,_ResourceId
0,576e1cba-2d04-459e-b457-fe157e632dea,Azure,2020-10-25 20:12:00+00:00,/SUBSCRIPTIONS/18D92F52-AC34-4379-AB8B-5A5106F...,,,,,,,,,,SQLALERTDEMODATABASE,SQLALERTDEMO1,MICROSOFT.SQL,18d92f52-ac34-4379-ab8b-5a5106f1c54e,cpu_percent,0.0,4.0,0.0,0.0,0.0,PT1M,Percent,,,,,,,,,,,,,,,AzureMetrics,/subscriptions/18d92f52-ac34-4379-ab8b-5a5106f...
1,576e1cba-2d04-459e-b457-fe157e632dea,Azure,2020-10-25 20:13:00+00:00,/SUBSCRIPTIONS/18D92F52-AC34-4379-AB8B-5A5106F...,,,,,,,,,,SQLALERTDEMODATABASE,SQLALERTDEMO1,MICROSOFT.SQL,18d92f52-ac34-4379-ab8b-5a5106f1c54e,cpu_percent,0.0,4.0,0.0,0.0,0.0,PT1M,Percent,,,,,,,,,,,,,,,AzureMetrics,/subscriptions/18d92f52-ac34-4379-ab8b-5a5106f...
2,576e1cba-2d04-459e-b457-fe157e632dea,Azure,2020-10-25 20:14:00+00:00,/SUBSCRIPTIONS/18D92F52-AC34-4379-AB8B-5A5106F...,,,,,,,,,,SQLALERTDEMODATABASE,SQLALERTDEMO1,MICROSOFT.SQL,18d92f52-ac34-4379-ab8b-5a5106f1c54e,cpu_percent,0.0,4.0,0.0,0.0,0.0,PT1M,Percent,,,,,,,,,,,,,,,AzureMetrics,/subscriptions/18d92f52-ac34-4379-ab8b-5a5106f...
3,576e1cba-2d04-459e-b457-fe157e632dea,Azure,2020-10-25 20:15:00+00:00,/SUBSCRIPTIONS/18D92F52-AC34-4379-AB8B-5A5106F...,,,,,,,,,,SQLALERTDEMODATABASE,SQLALERTDEMO1,MICROSOFT.SQL,18d92f52-ac34-4379-ab8b-5a5106f1c54e,cpu_percent,0.0,4.0,0.0,0.0,0.0,PT1M,Percent,,,,,,,,,,,,,,,AzureMetrics,/subscriptions/18d92f52-ac34-4379-ab8b-5a5106f...
4,576e1cba-2d04-459e-b457-fe157e632dea,Azure,2020-10-25 20:16:00+00:00,/SUBSCRIPTIONS/18D92F52-AC34-4379-AB8B-5A5106F...,,,,,,,,,,SQLALERTDEMODATABASE,SQLALERTDEMO1,MICROSOFT.SQL,18d92f52-ac34-4379-ab8b-5a5106f1c54e,cpu_percent,0.0,4.0,0.0,0.0,0.0,PT1M,Percent,,,,,,,,,,,,,,,AzureMetrics,/subscriptions/18d92f52-ac34-4379-ab8b-5a5106f...
5,576e1cba-2d04-459e-b457-fe157e632dea,Azure,2020-10-25 20:17:00+00:00,/SUBSCRIPTIONS/18D92F52-AC34-4379-AB8B-5A5106F...,,,,,,,,,,SQLALERTDEMODATABASE,SQLALERTDEMO1,MICROSOFT.SQL,18d92f52-ac34-4379-ab8b-5a5106f1c54e,cpu_percent,0.0,4.0,0.0,0.0,0.0,PT1M,Percent,,,,,,,,,,,,,,,AzureMetrics,/subscriptions/18d92f52-ac34-4379-ab8b-5a5106f...
6,576e1cba-2d04-459e-b457-fe157e632dea,Azure,2020-10-25 20:18:00+00:00,/SUBSCRIPTIONS/18D92F52-AC34-4379-AB8B-5A5106F...,,,,,,,,,,SQLALERTDEMODATABASE,SQLALERTDEMO1,MICROSOFT.SQL,18d92f52-ac34-4379-ab8b-5a5106f1c54e,cpu_percent,0.0,4.0,0.0,0.0,0.0,PT1M,Percent,,,,,,,,,,,,,,,AzureMetrics,/subscriptions/18d92f52-ac34-4379-ab8b-5a5106f...
7,576e1cba-2d04-459e-b457-fe157e632dea,Azure,2020-10-25 20:19:00+00:00,/SUBSCRIPTIONS/18D92F52-AC34-4379-AB8B-5A5106F...,,,,,,,,,,SQLALERTDEMODATABASE,SQLALERTDEMO1,MICROSOFT.SQL,18d92f52-ac34-4379-ab8b-5a5106f1c54e,cpu_percent,0.0,4.0,0.0,0.0,0.0,PT1M,Percent,,,,,,,,,,,,,,,AzureMetrics,/subscriptions/18d92f52-ac34-4379-ab8b-5a5106f...
8,576e1cba-2d04-459e-b457-fe157e632dea,Azure,2020-10-25 20:20:00+00:00,/SUBSCRIPTIONS/18D92F52-AC34-4379-AB8B-5A5106F...,,,,,,,,,,SQLALERTDEMODATABASE,SQLALERTDEMO1,MICROSOFT.SQL,18d92f52-ac34-4379-ab8b-5a5106f1c54e,cpu_percent,0.0,4.0,0.0,0.0,0.0,PT1M,Percent,,,,,,,,,,,,,,,AzureMetrics,/subscriptions/18d92f52-ac34-4379-ab8b-5a5106f...
9,576e1cba-2d04-459e-b457-fe157e632dea,Azure,2020-10-25 20:12:00+00:00,/SUBSCRIPTIONS/18D92F52-AC34-4379-AB8B-5A5106F...,,,,,,,,,,SQLALERTDEMODATABASE,SQLALERTDEMO1,MICROSOFT.SQL,18d92f52-ac34-4379-ab8b-5a5106f1c54e,physical_data_read_percent,0.0,4.0,0.0,0.0,0.0,PT1M,Percent,,,,,,,,,,,,,,,AzureMetrics,/subscriptions/18d92f52-ac34-4379-ab8b-5a5106f...


### 6.2 Looking at Deadlock for last one hour

In [30]:
%%kql
AzureDiagnostics 
| where  Category == 'Deadlocks' 
| where TimeGenerated > ago(1h)

Unnamed: 0,TenantId,TimeGenerated,ResourceId,Category,ResourceGroup,SubscriptionId,ResourceProvider,Resource,ResourceType,OperationName,ResultType,CorrelationId,ResultDescription,Tenant_g,JobId_g,RunbookName_s,StreamType_s,Caller_s,requestUri_s,Level,DurationMs,CallerIPAddress,OperationVersion,ResultSignature,id_s,status_s,LogicalServerName_s,Message,clientInfo_s,httpStatusCode_d,identity_claim_appid_g,identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,userAgent_s,ruleName_s,identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s,systemId_g,isAccessPolicyMatch_b,EventName_s,httpMethod_s,subnetId_s,type_s,instanceId_s,macAddress_s,vnetResourceGuid_g,direction_s,subnetPrefix_s,primaryIPv4Address_s,conditions_sourcePortRange_s,priority_d,conditions_destinationPortRange_s,conditions_destinationIP_s,conditions_None_s,conditions_sourceIP_s,httpVersion_s,matchedConnections_d,startTime_t,endTime_t,DatabaseName_s,clientIP_s,host_s,requestQuery_s,sslEnabled_s,clientPort_d,httpStatus_d,receivedBytes_d,sentBytes_d,timeTaken_d,resultDescription_ErrorJobs_s,resultDescription_ChildJobs_s,identity_claim_http_schemas_microsoft_com_identity_claims_scope_s,workflowId_s,resource_location_s,resource_workflowId_g,resource_resourceGroupName_s,resource_subscriptionId_g,resource_runId_s,resource_workflowName_s,_schema_s,correlation_clientTrackingId_s,properties_sku_Family_s,properties_sku_Name_s,properties_tenantId_g,properties_enabledForDeployment_b,code_s,resultDescription_Summary_MachineId_s,resultDescription_Summary_ScheduleName_s,resultDescription_Summary_Status_s,resultDescription_Summary_StatusDescription_s,resultDescription_Summary_MachineName_s,resultDescription_Summary_TotalUpdatesInstalled_d,resultDescription_Summary_RebootRequired_b,resultDescription_Summary_TotalUpdatesFailed_d,resultDescription_Summary_InstallPercentage_d,resultDescription_Summary_StartDateTimeUtc_t,resource_triggerName_s,resultDescription_Summary_InitialRequiredUpdatesCount_d,properties_enabledForTemplateDeployment_b,resultDescription_Summary_EndDateTimeUtc_s,resultDescription_Summary_DurationInMinutes_s,resource_originRunId_s,properties_enabledForDiskEncryption_b,resource_actionName_s,correlation_actionTrackingId_g,resultDescription_Summary_EndDateTimeUtc_t,resultDescription_Summary_DurationInMinutes_d,conditions_protocols_s,identity_claim_ipaddr_s,ElasticPoolName_s,identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s,RunOn_s,query_hash_s,SourceSystem,MG,ManagementGroupName,Computer,RawData,error_number_d,Severity,user_defined_b,state_d,duration_d,lock_mode_s,resource_owner_type_s,blocked_process_filtered_s,start_utc_date_t,end_utc_date_t,wait_type_s,delta_max_wait_time_ms_d,delta_signal_wait_time_ms_d,delta_wait_time_ms_d,delta_waiting_tasks_count_d,deadlock_xml_s,error_state_d,query_plan_hash_s,package_s,event_s,sessionName_s,originalEventTimestamp_t,audit_schema_version_d,event_time_t,sequence_number_d,action_id_s,action_name_s,succeeded_s,is_column_permission_s,session_id_d,server_principal_id_d,database_principal_id_d,target_server_principal_id_d,target_database_principal_id_d,object_id_d,user_defined_event_id_d,transaction_id_d,class_type_s,class_type_description_s,securable_class_type_s,duration_milliseconds_d,response_rows_d,affected_rows_d,client_ip_s,permission_bitmask_g,sequence_group_id_g,session_server_principal_name_s,server_principal_name_s,server_principal_sid_s,database_principal_name_s,target_server_principal_name_s,target_server_principal_sid_s,target_database_principal_name_s,server_instance_name_s,database_name_s,schema_name_s,object_name_s,statement_s,additional_information_s,user_defined_information_s,application_name_s,connection_id_g,data_sensitivity_information_s,host_name_s,session_context_s,is_server_level_audit_s,event_id_g,OptionName_s,OptionDesiredState_s,OptionActualState_s,OptionDisableReason_s,IsDisabledBySystem_d,DatabaseDesiredMode_s,DatabaseActualMode_s,Type,_ResourceId
