tabular value converted to scalar doesn't work in subsequent calculation

Jeremy Hagan 0

Hi,

I am trying to do a percentage of total count per Event ID in the Security Event Table. My query is as follows:

let totalevents = toscalar(SecurityEvent
| summarize count());
SecurityEvent
| summarize count() by EventID
| extend total=totalevents
| extend perc = count_/total

However perc is always zero. What am I doing wrong here?

JamesTran-MSFT 36,361 Reputation points Microsoft Employee

2023-03-21T17:57:10.1233333+00:00

@Jeremy Hagan @Jeremy Hagan

I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

1 answer

Clive Watson 5,711 Reputation points MVP

2023-03-16T10:31:09.5233333+00:00
Hi, The count value needs to be a double/real
https://learn.microsoft.com/en-gb/azure/data-explorer/kusto/query/todoublefunction

let totalevents = toscalar(SecurityEvent | summarize count()); SecurityEvent | summarize count() by EventID | extend total=totalevents | extend perc = todouble(count_) / total
Please sign in to rate this answer.
JamesTran-MSFT 36,361 Reputation points Microsoft Employee

2023-03-20T18:53:36.6266667+00:00

@Jeremy Hagan

I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Sign in to comment