# Describe Microsoft Fabric Real-Time Intelligence?

## Real-Time Intelligence
**Real-Time Intelligence** is a fully managed service that is optimized for **`streaming time-series` data**. 

By Using Real-Time Intelligence in Fabric, you can:
- **_Ingest_** data from **any `source`**, in **any `data format`**.
- **_Import_** data with **by-default `streaming`** that provides high performance, low latency, high freshness data analysis.
- Imported data **_undergoes_** **default `partitioning`** - both **`time` and `hash-based`** partitioning, and **by-default `indexing`**.
- **_Work_** with **versatile `data structures`** and query structured, semi-structured, or free text.
- **_Run_** analytical queries **directly on `raw` data** without the need to build complex data models or create scripting to transform the data.
- **_Query_** raw data without transformation, with high performance, incredibly low response time, and using a wide variety of available operators.
- **_Scale_** to an **unlimited amount of data**, from **`gigabytes to petabytes`**, with unlimited scale on **_concurrent queries_** and **_concurrent users_**.
- **_Integrate_** seamlessly with **other _workloads_ and _items_** in Microsoft Fabric.

## Real-Time Hub
The **Real-Time Hub** serves as your **_gateway_** to **`uncover`** and **`control`** the flow of your streaming data. It's a dynamic catalog that includes:

<img src="../images/01_Get started with Microsoft Fabric/08/real-time-hub-highlight.png" alt="Real-Time hub" style="border: 2px solid black; border-radius: 10px;">

## Real-Time Dashboards
Data insights can be visualized through **`KQL querysets`**, **`Real-Time dashboards`**, and **`Power BI`** reports, with a rapid transition from data ingestion to visualization.
- Users can employ visual cues for **_filtering_** and **_aggregating_** query results, **_utilizing_** a comprehensive suite of built-in visualizations, with minimal coding. 
- Insights are accessible in Power BI Reports and Real-Time Dashboards, both of which can **incorporate `alerts`** based on the data insights.

### Alerts
**Alerts** can also be set within the non-table visualizations on the Real-Time Dashboards while in editing mode to **_provide notifications_** when an established threshold that you set has been met.

<img src="../images/01_Get started with Microsoft Fabric/08/set-alert-dashboard.png" alt="Real-Time Dashboard alerts" style="border: 2px solid black; border-radius: 10px;">

The alerts can notify you within **`Microsoft Teams`** or by **sending an `email`**.

<img src="../images/01_Get started with Microsoft Fabric/08/set-alert-parameters.png" alt="Alert parameter configuration" style="border: 2px solid black; border-radius: 10px;">

# Understand KQL database and tables

## Kusto Query Language (KQL)
**Kusto Query Language (KQL):** is a **_declarative query language_** used to analyze and extract insights from structured, semi-structured, and unstructured data.
- It was designed specifically for searching large-scale **`log data`** efficiently and quickly, making it perfectly suited for cloud-based data analytics.
- It enables **efficiency in data exploration and data analysis** by allowing users to work with **_heterogeneous data sources_** and visualize the results in various ways.
- It supports **reproducible analyses** by allowing users to create **_notebooks with_ `Kusto kernel`** that can capture code, results, and context on the analysis.
- It improves **DevOps troubleshooting experience** by allowing users to create **`runbooks`** or **`playbooks`** in notebooks with Kusto kernel that can detail how to troubleshoot and mitigate issues using telemetry data.
- It enriches **DevOps flow** by allowing users to add KQL files and KQL notebook files to their Git repositories and CI/CD pipelines.
- It provides **guidance and helps you build search queries from scratch** by using the KQL editor that **quickly identifies `potential errors`** and **displays `hints`** about how to resolve issues.
- It lets you quickly **paste long, complex queries directly into the editor** if you receive them from other sources.
- It allows you to **filter, present, and aggregate your data** using various operators and functions that are easy to read and author.

## Real-Time Intelligence core components
Screenshot of Fabric Real-Time Intelligence components.

<img src="../images/01_Get started with Microsoft Fabric/08/real-time-intelligence-core-components.png" alt="Fabric Real-Time Intelligence components" style="border: 2px solid black; border-radius: 10px;">

**1. Event house:** Event houses are like a large, efficient **`library` for data**. They help organizations handle and analyze lots of data quickly, especially when it's important to get insights fast. Think of it as a supercharged database that can deal with data coming in nonstop, from different places, and in various forms. It's designed to grow with the data needs of a project, making sure everything will run smoothly without wasting resources.
<img src="../images/01_Get started with Microsoft Fabric/08/eventhouse-landing-page-large.png" alt="Event house landing page" style="border: 2px solid black; border-radius: 10px;">

**2. KQL database:** is a Kusto database and an upper-level entity that hosts a collection of tables, stored functions, materialized views, shortcuts, and datastreams.

<img src="https://files.training.databricks.com/images/icon_note_32.png" alt="Note"> You can continue to create and use stand-alone KQL databases while event house is still in preview. After this period, they will be managed with the event house as the management layer hosting many KQL databases.

**3. KQL Queryset:** Use this tool to **run queries**, and **view** and **manipulate query results** on data from your KQL database. The KQL Queryset allows you to save queries for future use, or export and share queries with others. In addition, the KQL Queryset uses the Kusto Query language for query creation, and also supports T-SQL and some T-SQL functions. For more information about the query language, see [Kusto Query Language overview](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/?branch=release-public-preview).

**4. Real-Time Dashboards:** to understand these, imagine a dashboard as a customizable control panel on your computer or game console.
- Each section, or "tile," shows you different information, like your score, health level, or map in a game. 
  - These tiles are set up to show specific data and can be arranged in different pages to keep things organized. Just like you can change settings in a game. 
  - You can tweak these tiles to show different data or look different visually. It's like having a bunch of mini-screens, each showing you something useful, and you can export complex data queries from Kusto Query Language (KQL) directly into these tiles as visuals.
  - It's like having a high-performance gaming rig that lets you switch between screens and data without lag, giving you a smooth and integrated experience.

**5. Eventstream:** Think of event streams in Microsoft Fabric as a super handy tool that lets you **_handle_ live data `without any coding`**. 
- It's like a high-tech funnel that **`collects`**, **`changes`**, and **`sends`** data to different places automatically. 
  - When you set up an eventstream in the system, you're basically creating a mini-factory that processes real-time data. You tell it where to get data from, where to send it, and how to change it along the way if needed. 
- It's part of a bigger feature called **`Real-Time Intelligence`**, which is all about making sense of data as it happens.

## KQL Database objects
As with many databases, the KQL Database has many objects to handle your data storage, streaming, and querying needs to support your decision making systems downstream. From the event house landing page, you can select on any of the databases and navigate to the individual database for exploring data, adding elements, and more.

<img src="../images/01_Get started with Microsoft Fabric/08/kql-database-landing.png" alt="KQL Database landing page" style="border: 2px solid black; border-radius: 10px;">

- **A table:** is a schema entity that contains a **set of columns and rows** of data. A table has a well-defined schema (an ordered list of column name and data type pairs). You can use the `.create table` command to create a new table, the `.show table` command to show the table schema, and the `.ingest` command to ingest data into a table.
- **A function:** is a schema entity that encapsulates a **subquery expression** that can be invoked from within other KQL queries. A stored function has a name, an optional list of parameters, and a body that contains the subquery expression. You can use the `.create function` command to create a new stored function, and the `.show functions` command to show the stored functions in a database.
- **A materialized view:** is a schema entity that stores **precomputed results** of a query for faster retrieval. A materialized view has a name, an optional list of parameters, and a body that contains the query expression. You can use the `.create materialized-view` command to create a new materialized view, and the `.show materialized-views` command to show the materialized views in a database.
- **A datastream:** is a representation of all of the **attached KQL eventstream** connected to the KQL database

# Describe Microsoft Fabric Real-Time hub

## Getting data into the Real-Time hub
The Real-Time Hub serves as your gateway to uncover and control the flow of your streaming data. It's a dynamic catalog that includes:

<img src="../images/01_Get started with Microsoft Fabric/08/real-time-hub-highlight.png" alt="Real-Time hub role" style="border: 2px solid black; border-radius: 10px;">

- **Event streams:** Gain access to all the active event streams within Fabric that you're permitted to view.
- **Microsoft Sources:** Quickly find and configure streaming sources available to you, such as Azure Event Hubs, Azure IoT Hub, and various Change Data Capture (CDC) options from Azure SQL DB, Azure Cosmos DB, and PostgreSQL DB.
- **Fabric Events:** Use event-driven features for instant notifications and data handling. Keep tabs on events from Fabric Workspace Items to Azure Blob Storage, which can initiate further processes or workflows. This action could involve starting a data pipeline or dispatching an email alert. Plus, you have the flexibility to route these events to different destinations through Event streams. Alerts allow you to interact both within your workspace and outside of it from the Real-Time hub by selecting the <img src="../images/01_Get started with Microsoft Fabric/08/set-alert-button.png" alt="Real-Time hub role">  **_Set alert_** button.

All this information is presented in an easy-to-digest format, ensuring seamless integration with your Fabric workloads.

## Source the event stream
The Microsoft Fabric Real-Time Intelligence experience's event streams feature allows for seamless integration of real-time events into Fabric. You can create an eventstream, which is an instance within Fabric, add sources of event data, apply optional transformations to the data, and route it to various destinations, all without the need for coding. This no-code approach simplifies the process of managing event data within Fabric.

<img src="../images/01_Get started with Microsoft Fabric/08/event-stream-sources.png" alt="Event stream sources" style="border: 2px solid black; border-radius: 10px;">

## Processing events within event streams
The drag and drop interface offers a straightforward and user-friendly method for constructing your event data workflows. This includes processing, transformation, and routing, all without the need for coding. An eventstream's data flow diagram provides a clear visual representation of the data's journey and structure. Additionally, the event processor editor's no-code environment enables you to design your event data processing logic simply by dragging and dropping elements into place.

- **Transformation Description:** When you create an eventstream with Enhanced capabilities enabled, all destinations support transformation operations. Without Enhanced capabilities, transformations are only available for Lakehouse and KQL Database destinations, which handle event processing before ingestion.

- **Filter:** Use the Filter transformation to filter events based on the value of a field in the input. Depending on the data type (number or text), the transformation keeps the values that match the selected condition, such as is `null` or `is not null`.
- **Manage fields:** This transformation allows you to add, remove, change data type, or rename fields coming in from an input or another transformation.
- **Aggregate:** Use the Aggregate transformation to calculate an aggregation (Sum, Minimum, Maximum, or Average) every time a new event occurs over a period of time. This operation also allows for the renaming of these calculated columns, and filtering or slicing the aggregation based on other dimensions in your data. You can have one or more aggregations in the same transformation.
- **Group by:** Use the Group by transformation to calculate aggregations across all events within a certain time window. You can group by the values in one or more fields. It's like the Aggregate transformation allows for the renaming of columns, but provides more options for aggregation and includes more complex options for time windows. Like Aggregate, you can add more than one aggregation per transformation.
- **Union:** Use the Union transformation to connect two or more nodes and add events with shared fields (with the same name and data type) into one table. Fields that don't match are dropped and not included in the output.
- **Expand:** Use this array transformation to create a new row for each value within an array.
- **Join:** this is a transformation to combine data from two streams based on a matching condition between them.

## Standard destination locations
We can see that by not choosing the enhanced capabilities, our destinations are limited.

| Destination	| Description |
| -- | -- |
| Custom app	| With this feature, you can seamlessly direct your real-time event traffic to a bespoke application. It enables the integration of your proprietary applications with the event stream, allowing for the immediate consumption of event data. This feature is advantageous when you aim to transfer real-time data to an independent system not hosted on the Microsoft Fabric. |
| Lakehouse	| This destination empowers you to preprocess your real-time events prior to their ingestion into your lakehouse. The events are transformed into Delta Lake format and later stored in specific lakehouse tables, facilitating your data warehousing needs. For detailed guidance on utilizing the event processor for real-time data handling, refer to the 'Process event data with event processor editor' section. |
| KQL database	| This destination offers the capability to funnel your real-time event data into a KQL database, granting you the power to employ the robust Kusto Query Language (KQL) for data interrogation and analysis. Housing your data within the KQL database unlocks the potential for enhanced comprehension of your event data and the creation of comprehensive reports and dashboards. You have the flexibility to opt for one of two data ingestion approaches: either direct ingestion or preprocessing of events prior to ingestion. |
| Reflex	| This destination facilitates a direct linkage of your real-time event data with a Reflex. A Reflex is an intelligent entity equipped with all necessary details to establish data connections, monitor specific conditions, and execute actions. Upon the event data meeting certain predefined criteria or identifying particular patterns, the Reflex autonomously initiates suitable responses, such as notifying users or triggering Power Automate workflows. |

## Enhanced destination locations
When you choose the enhanced capabilities, you're able to use the standard destinations along with **_derived stream_**.

| Destination	| Description |
|-- |-- |
| Derived stream	| The derived stream is a specialized destination created post-application of stream operations like Filter or Manage Fields to an eventstream. It represents the altered default stream after processing, which can be routed to various destinations within Fabric and monitored in the Real-Time hub. |

You're now able to attach to multiple destinations within an event stream at the same time without impacting or colliding with each other.

<img src="../images/01_Get started with Microsoft Fabric/08/real-time-events-workflow.png" alt="Simultaneous event streams" style="border: 2px solid black; border-radius: 10px;">

# Write queries with KQL
To query data from a table in a KQL database, you can use the **Kusto Query Language (KQL)**, which is used to write queries in Azure Data Explorer, Azure Monitor Log Analytics, Azure Sentinel, and Microsoft Fabric. KQL is a read-only request to process data and return results. KQL queries are made of one or more query statements.

A query statement consists of a table name followed by one or more operators that take, `filter`, `transform`, `aggregate`, or `join` data. For example:

KQL queries are created using relational operators to filter and transform data using a syntax similar to SQL. However, KQL syntax includes extensions that enable advanced text and pattern matching, statistical analysis, time-series projections, geo-spatial, and machine learning algorithms.

## Create and load tables in KQL
In most cases, you create tables and define their source using the graphical tools in Microsoft Fabric. However, you can use KQL statements to create and load tables.

To create a table and ingest data into it, you can use the `.create table` command, which creates a new empty table with a specified schema. You need to provide the table name, the column names and their data types, and optionally some properties such as docstring or folder. For example:

In [0]:
%sql --Kusto
.create table sales (
     SalesOrderNumber: string,
     SalesOrderLineItem: int,
     OrderDate: datetime,
     CustomerName: string,
     EmailAddress: string,
     Item: string,
     Quantity: int,
     UnitPrice: real,
     TaxAmount: real)

This command creates a table called **sales** with 9 columns of different data types.

You can ingest data into a table in multiple ways, including the `ingest into` command, as shown in this example:

In [0]:
%sql --kql
.ingest into table sales 'https://<StorageAccountName>.blob.core.windows.net/container/<TableName>.csv' 
 with (ignoreFirstRecord = true)

## Retrieve data from a table
A basic KQL query consists of selecting data from a table and applying filters and transformations to the data. In the following example, we're going to just query all the data from the `sales` table.

In [0]:
%sql -kql
sales

The output from this query would look similar to the following example:

| SalesOrderNumber | SalesOrderLineItem | OrderDate | CustomerName | EmailAddress | Item | Quantity | UnitPrice | TaxAmount |
| -- | -- | -- | -- | -- | -- | -- | -- | -- |
| SO43701	          | 1	                  | 2019-07-01T00:00:00Z	    | Christy Zhu	  | christy12@adventure-works.com	| Mountain-100 Silver 44	| 1	| 3399.99	| 271.9992 |
| SO43704	          | 1	                  | 2019-07-01T00:00:00Z	    | Julio Ruiz	  | julio1@adventure-works.com	| Mountain-100 Black 48	| 1	| 3374.99	| 269.9992 |
| SO43705	          | 1	                  | 2019-07-01T00:00:00Z	    | Curtis Lu	    | curtis9@adventure-works.com	| Mountain-100 Silver 38	| 1	| 3399.99	| 271.9992 |
| SO43700	          | 1	                  | 2019-07-01T00:00:00Z	    | Ruben Prasad	| ruben10@adventure-works.com	| Road-650 Black 62	| 1	| 699.0982 | 55.9279 |
| SO43703	          | 1	                  | 2019-07-01T00:00:00Z	    | Albert Alvarez| albert7@adventure-works.com	| Road-150 Red 62	| 1	| 3578.27	| 286.2616 |
| SO43697	          | 1	                  | 2019-07-01T00:00:00Z	    | Cole Watson	  | cole1@adventure-works.com	| Road-150 Red 62	| 1	| 3578.27	| 286.2616 |
| SO43699	          | 1	                  | 2019-07-01T00:00:00Z	    | Sydney Wright	| sydney61@adventure-works.com	| Mountain-100 Silver 44	| 1	| 3399.99	| 271.9992 |
| ...	| ...	| ...	| ...	| ...	| ...	| ...	| ...	| ... |

The query output can then be further analyzed using visualization tools or integrated with other programs to create custom dashboards and automated workflows.

The next example returns five rows from the sales table in the KQL database by using the `take` statement, which is a simple and quick way to view a small sample of records when browsing data.

In [0]:
%sql --kql
sales
| take 5

This time, the results include five rows:

| SalesOrderNumber | SalesOrderLineItem | OrderDate | CustomerName | EmailAddress | Item | Quantity | UnitPrice | TaxAmount |
| -- | -- | -- | -- | -- | -- | -- | -- | -- |
| SO43701	          | 1	                  | 2019-07-01T00:00:00Z	    | Christy Zhu	  | christy12@adventure-works.com	| Mountain-100 Silver 44	| 1	| 3399.99	| 271.9992 |
| SO43704	          | 1	                  | 2019-07-01T00:00:00Z	    | Julio Ruiz	  | julio1@adventure-works.com	| Mountain-100 Black 48	| 1	| 3374.99	| 269.9992 |
| SO43705	          | 1	                  | 2019-07-01T00:00:00Z	    | Curtis Lu	    | curtis9@adventure-works.com	| Mountain-100 Silver 38	| 1	| 3399.99	| 271.9992 |
| SO43700	          | 1	                  | 2019-07-01T00:00:00Z	    | Ruben Prasad	| ruben10@adventure-works.com	| Road-650 Black 62	| 1	| 699.0982 | 55.9279 |
| SO43703	          | 1	                  | 2019-07-01T00:00:00Z	    | Albert Alvarez| albert7@adventure-works.com	| Road-150 Red 62	| 1	| 3578.27	| 286.2616 |

### Filter with the where clause
In KQL, `where` is a clause that is used to filter the rows of a table based on a specified condition. The `where` clause is followed by a Boolean expression that evaluates to `true` or `false` for each row in the table. Rows for which the expression evaluates to `true` are included in the result, while rows for which the expression evaluates to `false` are excluded.

The `contains` operator is used in the `where` clause of the query to filter the rows of the **_sales_** table based on whether the **Item** column contains the string "Mountain-100".

In [0]:
%sql --kql
sales
| where Item contains 'Mountain-100'

The results include only sales for items containing "Mountain-100":

| SalesOrderNumber	| SalesOrderLineItem	| OrderDate	| CustomerName	| EmailAddress	| Item	| Quantity	| UnitPrice	| TaxAmount |
| -- | -- | -- | -- | -- | -- | -- | -- | -- |
| SO43701	| 1	| 2019-07-01T00:00:00Z	| Christy Zhu	| christy12@adventure-works.com	| Mountain-100 Silver 44	| 1	| 3399.99	| 271.9992 |
| SO43704	| 1	| 2019-07-01T00:00:00Z	| Julio Ruiz	| julio1@adventure-works.com	| Mountain-100 Black 48	| 1	| 3374.99	| 269.9992 |
| SO43705	| 1	| 2019-07-01T00:00:00Z	| Curtis Lu	| curtis9@adventure-works.com	| Mountain-100 Silver 38	| 1	| 3399.99	| 271.9992 |
| SO43699	| 1	| 2019-07-01T00:00:00Z	| Sydney Wright	| sydney61@adventure-works.com	| Mountain-100 Silver 44	| 1	| 3399.99	| 271.9992 |
| ...	| ...	| ...	| ...	| ...	| ...	| ...	| ...	| ... |

KQL works well when you want to work with time series data. For example, to filter the sales data to show orders that occurred between two datetime values. You can take advantage of many time series functions, including `now()`, which returns the current time. This example returns all orders that occurred within the last day (24 hours).

In [0]:
%sql --kql
sales
| where OrderDate between (now(-1d) .. now())

The results are filtered to include only orders within the specified time period.

SalesOrderNumber	SalesOrderLineItem	OrderDate	CustomerName	EmailAddress	Item	Quantity	UnitPrice	TaxAmount
SO49171	1	2023-05-01T22:01:00Z	Mariah Foster	mariah21@adventure-works.com	Road-250 Black 48	1	2181.5625	174.525
SO49172	1	2021-05-01T23:55:00Z	Brian Howard	brian23@adventure-works.com	Road-250 Red 44	1	2443.35	195.468
SO49173	1	2021-05-02T01:10:00Z	Linda Alvarez	linda19@adventure-works.com	Mountain-200 Silver 38	1	2071.4196	165.7136
...	...	...	...	...	...	...	...	...

### Sort query results
This query uses the `sort` operator to retrieve sales of "Mountain-100" items sorted so that the most recent sales are shown first:

In [0]:
%sql -kql
sales
| where Item contains 'Mountain-100'
| sort by OrderDate desc

The results look similar to this example:

SalesOrderNumber	SalesOrderLineItem	OrderDate	CustomerName	EmailAddress	Item	Quantity	UnitPrice	TaxAmount
SO43699	1	2023-05-01T00:00:00Z	Sydney Wright	sydney61@adventure-works.com	Mountain-100 Silver 44	1	3399.99	271.9992
SO43705	1	2023-04-20T00:00:00Z	Curtis Lu	curtis9@adventure-works.com	Mountain-100 Silver 38	1	3399.99	271.9992
SO43704	1	2023-04-12T00:00:00Z	Julio Ruiz	julio1@adventure-works.com	Mountain-100 Black 48	1	3374.99	269.9992
SO43701	1	2023-03-27T00:00:00Z	Christy Zhu	christy12@adventure-works.com	Mountain-100 Silver 44	1	3399.99	271.9992
...	...	...	...	...	...	...	...

### Summarize and aggregate
You can use the `summarize` operator to group data by a column and create a new column with an aggregation for the group. For example, the following query returns the total quantity of each item that has sold.

In [0]:
%sql --kql
sales
| summarize ItemsSold= sum(Quantity) by Item

The results include a column based on the aggregation function used (in this case `sum()`)

Item	ItemsSold
Water Bottle - 30 oz.	2,097
Patch Kit/8 Patches	1,621
Mountain Tire Tube	1,581
Road Tire Tube	1,212
...	...

## Using Copilot to assist with queryset queries
One new feature within the Microsoft Real-Time Intelligence tooling is the ability to use [Copilot for Real-Time Intelligence](https://learn.microsoft.com/en-us/fabric/get-started/copilot-real-time-intelligence?branch=main). Copilot gives you the ability to write natural language prompts instead of writing or having to quickly learn KQL queries.

When your administrator enables Copilot, you see the option in the top menubar of your querysets. When you ask a question about your data, Copilot will generate the KQL Code to answer your question. You can create several queries within the queryset using this no-code approach to gather useful information for user consumption.

<img src="../images/01_Get started with Microsoft Fabric/08/copilot.png" alt="Nocode Copilot approach using Querysets" style="border: 2px solid black; border-radius: 10px;">

Once you have queries within the queryset, you can then Pin them to an existing dashboard or create a new dashboard. To accomplish this, select the queries you want pinned, and then select the **Pin to dashboard**. This gives you a window to perform other actions.

<img src="../images/01_Get started with Microsoft Fabric/08/copilot-pin-to-dashboard.png" alt="Nocode Copilot Pin to dashboard" style="border: 2px solid black; border-radius: 10px;">

You also have the ability to add a queryset query to a Power BI Report by highlighting your preferred query and then selecting the **Build PowerBI report**.

<img src="../images/01_Get started with Microsoft Fabric/08/copilot-build-power-bi-report.png" alt="Nocode Copilot Build PowerBI Report" style="border: 2px solid black; border-radius: 10px;">

<img src="https://files.training.databricks.com/images/icon_note_32.png" alt="Note"> You can only select one query at a time using the **Pin to Dashboard** or the **Build PowerBI report** but you can append dashboard elements to existing dashboards.