Customize results in the KQL Queryset results grid

Use the results grid in the KQL Queryset to customize results and perform further analysis on your data. This article describes actions that can be done in the results grid after a query has been run.

Prerequisites

Expand a cell

Expanding cells are useful to view long strings or dynamic fields such as JSON.

  1. Double-click a cell to open an expanded view. This view allows you to read long strings, and provides a JSON formatting for dynamic data.

    Screenshot of the KQL Queryset showing the results of a query with an expanded cell to show long strings. The expanded cell is highlighted.

  2. Select on the icon on the top right of the result grid to switch reading pane modes. Choose between the following reading pane modes for expanded view: inline, below pane, and right pane.

    Screenshot of the KQL Queryset results pane showing the option to change the view mode of the query results pane.

Expand a row

When working with a table with many columns, expand the entire row to be able to easily see an overview of the different columns and their content.

  1. Click on the arrow > to the left of the row you want to expand.

    Screenshot of the KQL Queryset results pane showing an expanded row.

  2. Within the expanded row, some columns are expanded (arrow pointing down), and some columns are collapsed (arrow pointing right). Click on these arrows to toggle between these two modes.

Group column by results

Within the results, you can group results by any column.

  1. Run the following query:

    StormEvents
    | sort by StartTime desc
    | take 10
    
  2. Hover over the State column, select the menu, and select Group by State.

    Screenshot of the KQL Queryset result pane showing the menu of the column titled State. The menu option to group by state is highlighted.

  3. In the grid, double-click on California to expand and see records for that state. This type of grouping can be helpful when doing exploratory analysis.

    Screenshot of a query results grid with California group expanded in the KQL Queryset.

  4. Hover over the Group column, then select Reset columns/Ungroup by <column name>. This setting returns the grid to its original state.

    Screenshot of the reset columns setting highlighted in the column dropdown.

Hide empty columns

You can hide/show empty columns by toggling the eye icon on the results grid menu.

Screenshot of the KQL Queryset result pane. The eye icon to hide and show empty columns in the results pane is highlighted.

Filter columns

You can use one or more operators to filter the results of a column.

  1. To filter a specific column, select the menu for that column.

  2. Select the filter icon.

  3. In the filter builder, select the desired operator.

  4. Type in the expression you wish to filter the column on. Results are filtered as you type.

    Note

    The filter isn't case sensitive.

  5. To create a multi-condition filter, select a boolean operator to add another condition

  6. To remove the filter, delete the text from your first filter condition.

Run cell statistics

  1. Run the following query.

    StormEvents
    | sort by StartTime desc
    | where DamageProperty > 5000
    | project StartTime, State, EventType, DamageProperty, Source
    | take 10
    
  2. In the results pane, select a few of the numerical cells. The table grid allows you to select multiple rows, columns, and cells and calculate aggregations on them. The following functions are supported for numeric values: Average, Count, Min, Max, and Sum.

    Screenshot of the KQL query results pane showing a few numerical cells that are selected. The outcome of the selection shows a calculated aggregation of those cells.

Filter to query from grid

Another easy way to filter the grid is to add a filter operator to the query directly from the grid.

  1. Select a cell with content you wish to create a query filter for.

  2. Right-click to open the cell actions menu. Select Add selection as filter.

    Screenshot of a dropdown with the Add selection as filter option to query directly from the grid.

  3. A query clause will be added to your query in the query editor:

    Screenshot of the query editor showing query clause added from filtering on the grid in the KQL Queryset.

Pivot

The pivot mode feature is similar to Excel's pivot table, enabling you to do advanced analysis in the grid itself.

Pivoting allows you to take a column's value and turn them into columns. For example, you can pivot on State to make columns for Florida, Missouri, Alabama, and so on.

  1. On the right side of the grid, select Columns to see the table tool panel.

    Screenshot showing how to access the pivot mode feature.

  2. Select Pivot Mode, then drag columns as follows: EventType to Row groups; DamageProperty to Values; and State to Column labels.

    Screenshot highlighting selected column names to create the pivot table.

    The result should look like the following pivot table:

    Screenshot of results in a pivot table.

Search in the results grid

You can look for a specific expression within a result table.

  1. Run the following query:

    StormEvents
    | where DamageProperty > 5000
    | take 1000
    
  2. Select the Search button on the right and type in "Wabash"

    Screenshot of query result pane highlighting the search option in the table.

  3. All mentions of your searched expression are now highlighted in the table. You can navigate between them by clicking Enter to go forward or Shift+Enter to go backward, or you can use the up and down buttons next to the search box.

    Screenshot of a table containing highlighted expressions from search results.