KQL Playground

A working KQL engine in your browser. Type queries against pre-loaded sample tables — the same Sentinel-shaped data my Invoke-KqlPS PowerShell module uses for offline practice. Translates KQL to SQLite SQL via a hand-written lexer/parser, executes against sql.js (WASM SQLite). No backend, no signup, no telemetry.

Loading sample data...

View translated SQL

What's supported

Pragmatic subset — the most common ~80% of real SOC queries. Full faithful parity with the PowerShell module is on the roadmap.

Operators: where, project, project-keep, project-away, extend, summarize ... by, count, top N by, take, limit, distinct, order/sort by, let (scalar)
Predicates: ==, !=, <, >, <=, >=, contains, !contains, contains_cs, startswith, endswith, has, !has, in (...), !in (...), between (a..b), and, or, not
Functions: ago, now, datetime, bin, tolower, toupper, strlen, strcat, substring, isempty, isnotempty, isnull, isnotnull, iff, tostring, toint, tolong, toreal, todatetime, count, dcount, sum, avg, min, max, countif, sumif
Tables: 16 Sentinel-shaped sample tables (DeviceLogonEvents, DeviceProcessEvents, SigninLogs, SecurityEvent, etc.). See the sidebar.
Not yet: join, union, parse, mv-expand, render, materialize, regex matchers (=~, matches regex), advanced time-series operators. The engine throws a clear error if you hit one.