This page compares the most common use cases between DQL and other well-established data query and processing languages like SQL, Splunk's SPL, and Microsoft's Kusto Query Language.
fetch events
SELECT * FROM events
sourcetype = event*
events
Narrows the number of records based on a filter expression. In this example, we are searching for payment events.
fetch events| filter event.type == "travel.funnel.booking-payment"
SELECT * FROM events WHERE 'event.type'="travel.funnel.booking-payment"
sourcetype = event* | where "event.type" = "travel.funnel.booking-payment"
events| where ['event.type'] == "travel.funnel.booking-payment"
We can add as many filters as needed to the pipeline. For example, we can look for bookings made by higher level loyalty customers traveling with children.
fetch events| filter event.type == "travel.funnel.booking-payment" and loyaltyStatus == "Platinum" and childrenTravelers > 0
SELECT * FROM events WHERE 'event.type'="travel.funnel.booking-payment" AND loyaltyStatus = "Platinum" AND childrenTravelers > 0
sourcetype = event*| where event.type = "travel.funnel.booking-payment" AND loyaltyStatus = "Platinum" AND childrenTravelers > 0
events| where ['event.type'] == "travel.funnel.booking-payment" and loyaltyStatus == "Platinum" and childrenTravelers > 0
Selecting just the relevant fields can be done in any pipeline stage. In this example, we will select only the product of successful bookings.
fetch events| filter event.type == "travel.funnel.booking-payment"| fields product
SELECT product FROM events WHERE 'event.type'="travel.funnel.booking-payment"
sourcetype = event*| where event.type = "travel.funnel.booking-payment"| fields product
event| where ['event.type'] == "travel.funnel.booking-payment"| project product
We can transform the selected records in the pipelines. For example, we select the booked trips' duration in days and we will turn it into weeks.
fetch event| filter event.type == "travel.funnel.booking-payment"| fieldsAdd journeyWeeks = journeyDuration/7| sort journeyWeeks desc
SELECT journeyDuration/7 AS journeyWeeks FROM events WHERE 'event.type'="travel.funnel.booking-payment" ORDER BY journeyWeeks DESC
sourcetype = event*| where event.type = "travel.funnel.booking-payment"| eval journeyweeks = journeyDuration/7| sort -journeyweeks
event| where ['event.type'] == "travel.funnel.booking-payment"| project journeyWeeks = journeyDuration/7| sort journeyweeks desc
If we are interested only in unique values in our key, we can deduplicate the results by grouping them.
fetch events| summarize count(), by:event.type| fields event.type
SELECT DISTINCT 'event.type' FROM events
sourcetype = event*| stats by "event.type"
events| summarize by event.type
After grouping selected records based on a field, we can aggregate the results to a new output.
fetch events| filter event.type == "travel.funnel.booking-payment"| summarize sum = sum(amount), by:travelAgency
SELECT sum(amount) AS sum FROM events GROUP BY sum, travelAgency WHERE 'event.type' == "travel.funnel.booking-payment"
sourcetype = event*| where "event.type" = "travel.funnel.booking-payment"| stats sum = sum(amount) by travelAgency
event| filter event.type == "travel.funnel.booking-payment"| summarize sum = sum(amount) by travelAgency
Let's take a look at a bit more complex use case, where we want to add a new field, based on a mathematical expression, to our result table.
fetch events| filter event.type == "travel.funnel.booking-payment"| summarize sum = sum(amount), by:{travelAgency, travelers}| fieldsAdd has_more_than_2 = travelers > 2
SELECT sum(amount) AS sum, travelers > 2 AS has_more_than_2 FROM events GROUP BY sum, has_more_than_2, travelAgency, travelers WHERE 'event.type' == "travel.funnel.booking-payment"
sourcetype = event*| where "event.type" = "travel.funnel.booking-payment"| stats sum = sum(amount) by travelAgency, travelers| eval has_more_than_2 = travelers > 2
events| where ['event.type'] == "travel.funnel.booking-payment"| summarize sumBytes = sum(amount) by travelAgency, travelers| project has_more_than_2 = travelers > 2