KQL Fundamentals – Count
![](https://cybergeeks.cloud/wp-content/uploads/2021/08/photo-1586769852836-bc069f19e1b6-750x450.webp)
Level: Beginner | Reading time: 5 minutes
Let’s continue our series on KQL with a focus on Cyber Security. Let’s talk today about how to use the Count operator. Other posts can be seen in our KQL category.
The Count operator is used to return a count of summarized or total records. It basically returns the number of rows of a searched result.
Use case example. Let’s look at the Perf table. It shows us the list below.
![](https://cybergeeks.cloud/wp-content/uploads/2021/08/image-76.png)
Now, I want to count the results returned using the count operator.
![](https://cybergeeks.cloud/wp-content/uploads/2021/08/image-77.png)
Let’s check an example with the SecurityEvent table for security events.
![](https://cybergeeks.cloud/wp-content/uploads/2021/08/image-78.png)
We can create a more specific filter like the one below, where I’m searching for the SecurityEvent table, for events that occurred more than 1h ago and adding the Computer column filtering by a specific server (containing the name Windows2019) and the EventSourceName that contains AppLocker in the name.
![](https://cybergeeks.cloud/wp-content/uploads/2021/08/image-79.png)
To count and know how many events occurred, let’s use the count operator.
![](https://cybergeeks.cloud/wp-content/uploads/2021/08/image-80.png)
Simple and easy! One more operator for you to use on a daily basis.
Thank you!