Fabric RTI 101: Functions in KQL

KQL provides a comprehensive library of functions that make it incredibly flexible for analytics. You’ll find functions across several categories — from simple text operations to advanced time-series analysis.

First, there’s a wide range of built-in functions. These include string functions like substring(), tolower(), and replace(); mathematical functions such as round(), sqrt(), and abs(); and datetime functions like now(), ago(), and datetime_diff(). These make it easy to clean, transform, and standardize your data right inside your query.

Then you have aggregation functions, which are essential for summarizing data — things like count(), avg(), sum(), max(), and percentile(). They’re used in combination with the summarize operator to calculate metrics across groups or time intervals.

For time-based analytics, KQL includes specialized time-series functions. One of the most powerful is make-series, which creates evenly spaced time intervals from event data. This allows you to analyze trends over time, perform moving averages, or even apply anomaly detection models.

Beyond the built-in capabilities, KQL also supports user-defined functions, which let you package up logic you use frequently into reusable blocks. For example, you might create a function that normalizes sensor readings or extracts key fields from logs, and then call it in multiple queries.

Using functions effectively makes your KQL code much more modular, readable, and reusable. Instead of rewriting the same logic in every query, you can define it once and call it whenever needed.

In practice, mastering functions — both built-in and custom — is one of the fastest ways to become efficient and expressive in KQL.

Learn more about Fabric RTI

If you really want to learn about RTI right now, we have an online on-demand course that you can enrol in, right now. You’ll find it at Mastering Microsoft Fabric Real-Time Intelligence

2026-06-22