Multiple where clauses vs. 'and' in kusto

About

Asked 27/5, 2022 at 15:48 Answered 21/12, 2022 at 10:52

In terms of performance, is the following query

ResourceEvents
| where ResourceType == "Foo" and EventType == "Bar"

practically the same as

ResourceEvents
| where ResourceType == "Foo"
| where EventType == "Bar"

Or are the records filtered sequentially, performing two searches instead of one combined?

Chloric answered 27/5, 2022 at 15:48 Comment(0)

both options are equivalent in terms of semantics and performance

Hasan answered 27/5, 2022 at 16:6 Comment(0)

Adding to Yoni's answer, you can check it yourself by looking at the query plan.

.show queryplan  <|
StormEvents
| where State == "TEXAS" and EventType == "Flood"


.show queryplan  <|
StormEvents
| where State == "TEXAS" 
| where EventType == "Flood"

The plans are equivalent.

Increase answered 29/5, 2022 at 20:46 Comment(1)

Is there documentation for .show queryplan, I can't find it learn.microsoft.com/en-us/search/… – Karney 22/3, 2023 at 19:47

In your exact scenario, it seems to be equivalent; but if you have heavy parsing, better use chained | where clause compare to a | where ... and .... Maybe have a look at kql query best practices > 'Lookup for rare keys/values in dynamic object'.

Thanks @sheldonzy! I didn't knew about .show queryplan. It seems to not be available when using log analytics sadly; but some testing can be achieved by running queries on Microsoft test ADX which is freely available.

Siana answered 21/12, 2022 at 10:52 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags