Azure Data Explorer
An Azure data analytics service for real-time analysis on large volumes of data streaming from sources including applications, websites, and internet of things devices.
561 questions
Kusto equivalent of Splunks stats values(*)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 4%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Maxo
5
Reputation points
Hi,
So im running into a problem with kusto where I need to perfom multiple summirize statements on each column I have if I want to achieve a simple equivalent of splunks | stats values(*) by SomeColumn And I would like to see an alternative if there is one.
e.g. in kusto say we have the folowing:
let somedata = datatable (UserName: string, SomeCount: int, SomeOtherPropertie1: string, SomeOtherPropertie2: string)
[
"Alex", 1, "somedata1", "somedata2",
"Alex", 2, "somedata11", "somedata22",
"Alex", 3, "somedata111", "somedata222",
"Alex", 3, "somedata1111", "somedata2222",
"Alex", 3, "somedata11111", "somedata22222",
"John", 3, "somedata111111", "somedata22222",
];
somedata
| summarize myset_c = makeset(SomeCount), myset_sp1 = makeset(SomeOtherPropertie1), myset_sp2 = makeset(SomeOtherPropertie2) by UserName
And splunk equivalent of the above, assuming we already have the index somedata
index=somedata
| stats values(*) by UserName
Will bascally do the same.
{count} vote
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 38%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EQ%3C/text%3E%3C/svg%3E)
QuantumCache 20,356 Reputation points2023-08-11T17:42:46.2833333+00:00 Hello @Maxo welcome to QnA froum.
Did you try using the
make_bagaggregation function.make_bag() (aggregation function)
Some example looks like:
let T = datatable(prop:string, value:string) [ "prop01", "val_a", "prop02", "val_b", "prop03", "val_c", ]; T | extend p = bag_pack(prop, value) | summarize dict=make_bag(p)let somedata = datatable (UserName: string, SomeCount: int, SomeOtherPropertie1: string, SomeOtherPropertie2: string) [ "Alex", 1, "somedata1", "somedata2", "Alex", 2, "somedata11", "somedata22", "Alex", 3, "somedata111", "somedata222", "Alex", 3, "somedata1111", "somedata2222", "Alex", 3, "somedata11111", "somedata22222", "John", 3, "somedata111111", "somedata22222", ]; somedata | summarize mybag = make_bag(*) by UserName -
Maxo 5 Reputation points
2023-08-14T10:32:07.61+00:00 Hi, @SatishBoddu-MSFT
Im not sure if
make_bag()function is supposed to be able to take a wildchar, I get an error when above query is executed:
make_bag(): argument #1 must be a scalar expression -
QuantumCache 20,356 Reputation points
2023-08-18T18:33:18.93+00:00 Hello @Maxo Just checking on this topic, did you find any resolution on this issue? Please let us know if you need to add more info so that we better assist you!
Please try to specify each column explicitly.. let me know if that helps!
| summarize myset = make_bag(SomeCount, SomeOtherPropertie1, SomeOtherPropertie2), by UserName
Sign in to comment
Sign in to answer