Merge pull request #6579 from ktalmor/wi-364896-batch6

KQL-consistency-batch6

Author: Stacyrch140

data-explorer/kusto/query/join-rightouter.md

@@ -3,7 +3,7 @@ title:  rightouter join
 description: Learn how to use the rightouter join flavor to merge the rows of two tables. 
 ms.reviewer: alexans
 ms.topic: reference
-ms.date: 08/11/2024
+ms.date: 01/21/2025
 ---
 
 # rightouter join
@@ -29,6 +29,8 @@ The `rightouter` join flavor returns all the records from the right side and onl
 
 ## Example
 
+This query returns all rows from table Y and any matching rows from table X, filling in NULL values where there is no match from X.
+
 :::moniker range="azure-data-explorer"
 > [!div class="nextstepaction"]
 > <a href="https://dataexplorer.azure.com/clusters/help/databases/Samples?query=H4sIAAAAAAAAA8tJLVGIULBVSEksAcKknFQN79RKq+KSosy8dB2FsMSc0lRDq5z8vHRNrmguBSBQT1TXMdSBMJPUdYwQTGMoM1ldx4Qr1porB2h0JH6jjVCNBhpiaIAwxQiJbQxjpwBNNwAZH6FQo5CVn5mnkJ2Zl2JblJmeUZJfWpJaBLQzP08BaBUAPvRgAtsAAAA=" target="_blank">Run the query</a>

data-explorer/kusto/query/join-rightsemi.md

@@ -3,7 +3,7 @@ title:  rightsemi join
 description: Learn how to use the rightsemi join flavor to merge the rows of two tables. 
 ms.reviewer: alexans
 ms.topic: reference
-ms.date: 08/11/2024
+ms.date: 01/21/2025
 ---
 
 # rightsemi join
@@ -29,6 +29,8 @@ The `rightsemi` join flavor returns all records from the right side that match a
 
 ## Example
 
+This query filters and returns only those rows from table Y that have a matching key in table X.
+
 :::moniker range="azure-data-explorer"
 > [!div class="nextstepaction"]
 > <a href="https://dataexplorer.azure.com/clusters/help/databases/Samples?query=H4sIAAAAAAAAA8tJLVGIULBVSEksAcKknFQN79RKq+KSosy8dB2FsMSc0lRDq5z8vHRNrmguBSBQT1TXMdSBMJPUdYwQTGMoM1ldx4Qr1porB2h0JH6jjVCNBhpiaIAwxQiJbQxjpwBNNwAZH6FQo5CVn5mnkJ2Zl2JblJmeUVKcmpsJtDI/TwFoEwCXFUWa2gAAAA==" target="_blank">Run the query</a>
@@ -59,3 +61,7 @@ X | join kind=rightsemi Y on Key
 | b | 10 |
 | c | 20 |
 | c | 30 |
+
+## Related content
+
+* Learn about other [join flavors](join-operator.md#returns)

data-explorer/kusto/query/join-time-window.md

@@ -3,28 +3,41 @@ title:  Joining within time window
 description: Learn how to perform a time window join operation to match between two large datasets.
 ms.reviewer: alexans
 ms.topic: reference
-ms.date: 08/11/2024
+ms.date: 01/28/2025
 ---
 # Time window join
 
 > [!INCLUDE [applies](../includes/applies-to-version/applies.md)] [!INCLUDE [fabric](../includes/applies-to-version/fabric.md)] [!INCLUDE [azure-data-explorer](../includes/applies-to-version/azure-data-explorer.md)] [!INCLUDE [monitor](../includes/applies-to-version/monitor.md)] [!INCLUDE [sentinel](../includes/applies-to-version/sentinel.md)]
 
 It's often useful to join between two large datasets on some high-cardinality key, such as an operation ID or a session ID, and further limit the right-hand-side ($right) records that need to match up with each left-hand-side ($left) record by adding a restriction on the "time-distance" between `datetime` columns on the left and on the right.
 
-The above operation differs from the usual Kusto join operation, since for the `equi-join` part of matching the high-cardinality key between the left and right datasets, the system can also apply a distance function and use it to considerably speed up the join.
+The above operation differs from the usual join operation, since for the `equi-join` part of matching the high-cardinality key between the left and right datasets, the system can also apply a distance function and use it to considerably speed up the join.
 
 > [!NOTE]
-> A distance function doesn't behave like equality (that is, when both dist(x,y) and dist(y,z) are true it doesn't follow that dist(x,z) is also true.) Internally, we sometimes refer to this as "diagonal join".
+> A distance function doesn't behave like equality (that is, when both dist(x,y) and dist(y,z) are true it doesn't follow that dist(x,z) is also true.) This is sometimes referred to as a "diagonal join".
 
-For example, if you want to identify event sequences within a relatively small time window, assume that you have a table `T` with the following schema:
+## Example to identify event sequences without time window
+
+To identify event sequences within a relatively small time window, this example uses a table `T` with the following schema:
 
 * `SessionId`: A column of type `string` with correlation IDs.
 * `EventType`: A column of type `string` that identifies the event type of the record.
 * `Timestamp`: A column of type `datetime` indicates when the event described by the record happened.
 
+| SessionId | EventType | Timestamp |
+|--|--|--|
+| 0 | A | 2017-10-01T00:00:00Z |
+| 0 | B | 2017-10-01T00:01:00Z |
+| 1 | B | 2017-10-01T00:02:00Z |
+| 1 | A | 2017-10-01T00:03:00Z |
+| 3 | A | 2017-10-01T00:04:00Z |
+| 3 | B | 2017-10-01T00:10:00Z |
+
+The following query creates the dataset and then identifies all the session IDs in which event type `A` was followed by an event type `B` within a `1min` time window.
+
 :::moniker range="azure-data-explorer"
 > [!div class="nextstepaction"]
-> <a href="https://dataexplorer.azure.com/clusters/help/databases/Samples?query=H4sIAAAAAAAAA8tJLVEIUbBVSEksAcKknFSN4NTi4sz8PM8Uq+KSosy8dB0F17LUvJKQyoJUuEhIZm5qcUliboEVUF9qCZCnycsVzculAATqBuo6CuqOQAImp2FkYGiua2iga2CoYGBgBUaaOsiqnfCoNkRWbUhItRGGanwuMUZWbUxItQmGajwuMYT5MtaalysEAKb/JupnAQAA" target="_blank">Run the query</a>
+> <a href="https://dataexplorer.azure.com/clusters/help/databases/Samples?query=H4sIAAAAAAAAA4WQTWvDMAyG74H8B91iQ1LsdjDI8GGFHnZubmOHdBGdu8YJjlgZ7MdPbsgHtKS2sbD12O8rnZGgAANVSTwPZxR77DrbuLcq78hbd0xh94OOit8Wx5vC1thRWbc5v0Pik4yj9zgCHolKUkheeRtyYq30c6ZVpjQolV+XTOf0doHWc1o/otc39JKTzZzePKKfbugFJ3qo8uMljgqIoz+4fKHHqZtgTNALmdY3J/wkGHufwp5KT2ZsdKBOjXXwbV1lrHPoeyOiD0EhxPsq22TI3lHa8YczncBJaNyETN4Fs5D13iQckC6IDoSq2dhqBZqjXKrnKvYPNlcRxHMCAAA=" target="_blank">Run the query</a>
 ::: moniker-end
 
 ```kusto
@@ -38,38 +51,6 @@ let T = datatable(SessionId:string, EventType:string, Timestamp:datetime)
     '3', 'B', datetime(2017-10-01 00:10:00),
 ];
 T
-```
-
-**Output**
-
-|SessionId|EventType|Timestamp|
-|---|---|---|
-|0|A|2017-10-01 00:00:00.0000000|
-|0|B|2017-10-01 00:01:00.0000000|
-|1|B|2017-10-01 00:02:00.0000000|
-|1|A|2017-10-01 00:03:00.0000000|
-|3|A|2017-10-01 00:04:00.0000000|
-|3|B|2017-10-01 00:10:00.0000000|
-
-**Problem statement**
-
-Our query should answer the following question:
-
-   Find all the session IDs in which event type `A` was followed by an
-   event type `B` within a `1min` time window.
-
-> [!NOTE]
-> In the sample data above, the only such session ID is `0`.
-
-Semantically, the following query answers this question, albeit inefficiently.
-
-:::moniker range="azure-data-explorer"
-> [!div class="nextstepaction"]
-> <a href="https://dataexplorer.azure.com/clusters/help/databases/Samples?query=H4sIAAAAAAAAA4WQTWvDMAyG74H8B91iQ1LsdjDI8GGFHnZubmOHdBGdu8YJjlgZ7MdPbsgHtKS2sbD12O8rnZGgAANVSTwPZxR77DrbuLcq78hbd0xh94OOit8Wx5vC1thRWbc5v0Pik4yj9zgCHolKUkheeRtyYq30c6ZVpjQolV+XTOf0doHWc1o/otc39JKTzZzePKKfbugFJ3qo8uMljgqIoz+4fKHHqZtgTNALmdY3J/wkGHufwp5KT2ZsdKBOjXXwbV1lrHPoeyOiD0EhxPsq22TI3lHa8YczncBJaNyETN4Fs5D13iQckC6IDoSq2dhqBZqjXKrnKvYPNlcRxHMCAAA=" target="_blank">Run the query</a>
-::: moniker-end
-
-```kusto
-T 
 | where EventType == 'A'
 | project SessionId, Start=Timestamp
 | join kind=inner
@@ -84,43 +65,15 @@ T
 
 **Output**
 
-|SessionId|Start|End|
-|---|---|---|
-|0|2017-10-01 00:00:00.0000000|2017-10-01 00:01:00.0000000|
+| SessionId | Start | End |
+|--|--|--|
+| 0 | 2017-10-01 00:00:00.0000000 | 2017-10-01 00:01:00.0000000 |
 
-To optimize this query, we can rewrite it as described below
-so that the time window is expressed as a join key.
+## Example optimized with time window
 
-**Rewrite the query to account for the time window**
+To optimize this query, we can rewrite it to account for the time window. THe time window is expressed as a join key. Rewrite the query so that the `datetime` values are "discretized" into buckets whose size is half the size of the time window. Use *`equi-join`* to compare the bucket IDs.
 
-Rewrite the query so that the `datetime` values are "discretized" into buckets whose size is half the size of the time window. Use Kusto's *`equi-join`* to compare those bucket IDs.
-
-```kusto
-let lookupWindow = 1min;
-let lookupBin = lookupWindow / 2.0; // lookup bin = equal to 1/2 of the lookup window
-T 
-| where EventType == 'A'
-| project SessionId, Start=Timestamp,
-          // TimeKey on the left side of the join is mapped to a discrete time axis for the join purpose
-          TimeKey = bin(Timestamp, lookupBin)
-| join kind=inner
-    (
-    T 
-    | where EventType == 'B'
-    | project SessionId, End=Timestamp,
-              // TimeKey on the right side of the join - emulates event 'B' appearing several times
-              // as if it was 'replicated'
-              TimeKey = range(bin(Timestamp-lookupWindow, lookupBin),
-                              bin(Timestamp, lookupBin),
-                              lookupBin)
-    // 'mv-expand' translates the TimeKey array range into a column
-    | mv-expand TimeKey to typeof(datetime)
-    ) on SessionId, TimeKey 
-| where (End - Start) between (0min .. lookupWindow)
-| project SessionId, Start, End 
-```
-
-**Runnable query reference (with table inlined)**
+The query finds pairs of events within the same session (*SessionId*) where an 'A' event is followed by a 'B' event within 1 minute. It projects the session ID, the start time of the 'A' event, and the end time of the 'B' event.
 
 :::moniker range="azure-data-explorer"
 > [!div class="nextstepaction"]
@@ -158,13 +111,13 @@ T
 
 **Output**
 
-|SessionId|Start|End|
-|---|---|---|
-|0|2017-10-01 00:00:00.0000000|2017-10-01 00:01:00.0000000|
+| SessionId | Start | End |
+|--|--|--|
+| 0 | 2017-10-01 00:00:00.0000000 | 2017-10-01 00:01:00.0000000 |
 
-**5M data query**
+## 5 million data query
 
-The next query emulates a dataset of 5M records and ~1M IDs and runs the query with the technique described above.
+The next query emulates an extensive dataset of 5M records and approximately 1M Session IDs and runs the query with the time window technique.
 
 :::moniker range="azure-data-explorer"
 > [!div class="nextstepaction"]
@@ -199,6 +152,10 @@ T
 
 **Output**
 
-|Count|
-|---|
-|3344|
+| Count |
+|--|
+| 3344 |
+
+## Related content
+
+* [join operator](join-operator.md)

data-explorer/kusto/query/let-statement.md

@@ -3,7 +3,7 @@ title:  Let statement
 description: Learn how to use the Let statement to set a variable name to define an expression or a function.
 ms.reviewer: alexans
 ms.topic: reference
-ms.date: 08/11/2024
+ms.date: 01/28/2025
 ms.localizationpriority: high
 ---
 # Let statement
@@ -67,6 +67,8 @@ To optimize multiple uses of the `let` statement within a single query, see [Opt
 
 [!INCLUDE [help-cluster](../includes/help-cluster-note.md)]
 
+The query examples show the syntax and example usage of the operator, statement, or function.
+
 ### Define scalar values
 
 The following example uses a scalar expression statement.
@@ -95,13 +97,13 @@ range y from 0 to ['some number'] step 5
 
 **Output**
 
-|y|
-|---|
-|0|
-|5|
-|10|
-|15|
-|20|
+| y |
+|--|
+| 0 |
+| 5 |
+| 10 |
+| 15 |
+| 20 |
 
 ### Create a user defined function with scalar calculation
 
@@ -120,13 +122,13 @@ range x from 1 to 5 step 1
 
 **Output**
 
-|x|result|
-|---|---|
-|1|5|
-|2|10|
-|3|15|
-|4|20|
-|5|25|
+| x | result |
+|--|--|
+| 1 | 5 |
+| 2 | 10 |
+| 3 | 15 |
+| 4 | 20 |
+| 5 | 25 |
 
 ### Create a user defined function that trims input
 
@@ -145,14 +147,14 @@ range x from 10 to 15 step 1
 
 **Output**
 
-|x|result|
-|---|---|
-|10|0|
-|11||
-|12|2|
-|13|3|
-|14|4|
-|15|5|
+| x | result |
+|--|--|
+| 10 | 0 |
+| 11 |  |
+| 12 | 2 |
+| 13 | 3 |
+| 14 | 4 |
+| 15 | 5 |
 
 ### Use multiple let statements
 
@@ -171,9 +173,9 @@ foo2(2) | count
 
 **Output**
 
-|result|
-|---|
-|50|
+| result |
+|--|
+| 50 |
 
 ### Create a view or virtual table
 
@@ -192,10 +194,10 @@ search MyColumn == 5
 
 **Output**
 
-|$table|MyColumn|
-|---|---|
-|Range10|5|
-|Range20|5|
+| $table | MyColumn |
+|--|--|
+| Range10 | 5 |
+| Range20 | 5 |
 
 ### Use a materialize function
 
@@ -226,11 +228,11 @@ on $left.Day1 == $right.Day
 
 **Output**
 
-|Day1|Day2|Percentage|
-|---|---|---|
-|2016-05-01 00:00:00.0000000|2016-05-02 00:00:00.0000000|34.0645725975255|
-|2016-05-01 00:00:00.0000000|2016-05-03 00:00:00.0000000|16.618368960101|
-|2016-05-02 00:00:00.0000000|2016-05-03 00:00:00.0000000|14.6291376489636|
+| Day1 | Day2 | Percentage |
+|--|--|--|
+| 2016-05-01 00:00:00.0000000 | 2016-05-02 00:00:00.0000000 | 34.0645725975255 |
+| 2016-05-01 00:00:00.0000000 | 2016-05-03 00:00:00.0000000 | 16.618368960101 |
+| 2016-05-02 00:00:00.0000000 | 2016-05-03 00:00:00.0000000 | 14.6291376489636 |
 
 ### Using nested let statements
 
@@ -261,13 +263,13 @@ StormEvents
 **Output**
 
 | State | s_s |
-|---|---|
+|--|--|
 | ATLANTIC SOUTH | ATLANTIC SOUTHATLANTIC SOUTH |
 | FLORIDA | FLORIDAFLORIDA |
 | FLORIDA | FLORIDAFLORIDA |
 | GEORGIA | GEORGIAGEORGIA |
 | MISSISSIPPI | MISSISSIPPIMISSISSIPPI |
-|...|...|
+| ... | ... |
 
 ### Tabular argument with wildcard
 

data-explorer/kusto/query/lookup-operator.md

@@ -3,7 +3,7 @@ title:  lookup operator
 description: Learn how to use the lookup operator to extend columns of a fact table.
 ms.reviewer: alexans
 ms.topic: reference
-ms.date: 12/04/2024
+ms.date: 01/20/2025
 ---
 # lookup operator
 
@@ -75,7 +75,7 @@ A table with:
 * If `kind` is unspecified or `kind=leftouter`, then in addition to the inner matches, there's a row for every row on the left (and/or right), even if it has no match. In that case, the unmatched output cells contain nulls.
 * If `kind=inner`, then there's a row in the output for every combination of matching rows from left and right.
 
-## Examples
+## Example
 
 The following example shows how to perform a left outer join between the  `FactTable` and `DimTable`, based on matching values in the `Personal` and `Family` columns.