Dashboard
Account 🔐
Sign Up
Login
Global Leaderboard
Game Vault
Badge Backpack
Blue Team Glossary
Login and start playing
Leaving so soon?
×
You really want to log out? We were having so much fun!
Home
›
Glossary
›
Kusto
›
join
Join
Kusto
Definition
The `join` operator in Kusto Query Language (KQL) combines rows from two tables based on a related column, similar to joins in SQL. It allows you to correlate data from different sources by matching values in specified columns. Depending on the join kind (e.g. inner, leftouter, or rightouter), it can return only matching rows or include unmatched rows from one or both tables. This makes it useful for enriching data, comparing datasets, or bringing together related information for analysis.
Explore More Terms
Dropper
Adx
Pyramid Of Pain
Hack-And-Leak
Status Code
Examples & Use Cases
Join sign-in logs with user details ```sql SigninLogs | join kind=inner Users on UserPrincipalName ``` This returns only records where a matching UserPrincipalName exists in both tables. ### Join Types **Inner Join (default)** ``` | join kind=inner TableB on Key ``` Returns only the rows where the ```Key``` values match in both tables. **Left Outer Join** ``` | join kind=leftouter TableB on Key ``` Returns all rows from the left table and matching rows from the right table. Non-matching rows will have null values. **Right Outer Join** ``` | join kind=rightouter TableB on Key ``` Returns all rows from the right table and matching rows from the left table. **Full Outer Join** ``` | join kind=fullouter TableB on Key ``` Returns all rows from both tables, with nulls where there is no match. --- ### Joining on Different Column Names ``` | join kind=inner TableB on $left.UserId == $right.AccountId ``` This allows joining when the column names differ between tables. --- ### Combining with Filters ``` SigninLogs | where Status == "Failed" | join kind=inner Users on UserPrincipalName ``` This enriches failed sign-in events with user information. --- ### Why it matters Data is often spread across multiple tables. * Enables correlation between different datasets * Helps enrich and contextualize data * Supports more advanced investigations and analysis However, joins can increase query complexity and impact performance, especially on large datasets, so they should be used thoughtfully. --- ## Further Reading - [Microsoft Learn - join operator](https://learn.microsoft.com/en-us/kusto/query/join-operator)
.png)
