There's more...

As mentioned earlier, Log Analytics queries can start with either a table name or a search command. We looked at table-based queries at length in the previous section, and will now look at search-based queries.

When dealing with large data sets, search-based queries will have a higher query performance cost, and could take longer to complete than a table-based query. The performance and processing time could be even longer if the search queries are not scoped.

Because search queries are less structured than table-based queries, they are actually preferable, and are better employed when searching for specific values across columns or tables. For instance, given tables named SecurityEvent and WireData, you can easily search for a specific value by scoping the tables. Consider the following query that makes no use of table scoping:

Search "Failed"

The preceding query searches all columns in all tables in a workspace for the term "Failed". This query will not execute as efficiently as a query that makes use of a table scope:

Search in (SecurityEvent, WireData) "Failed" 

The preceding query results in a more efficient query operation because the search is scoped to specific tables.

In addition to table scoping, search-based queries support the use of boolean operators (AND, OR), and operations such as filtering, sorting, and aggregation. For instance, you can use a table scope to define and shape the initial result set and perform further operations on the data:

search in (WireData) "*Russia*"
| distinct Computer, ApplicationProtocol

In the preceding search-based query, the query scopes the initial result set to records in the WireData table columns that contain "*Russia*". It then passes the returned result set on for further processing using the distinct tabular operator, which produces a table with the distinct combination of the Computer and ApplicationProtocol columns of the WireData table: