Unable to understand summarize keyword syntax in "Aggregate content" and "Chain operators"

Question

Hi Team,

I was going through this article: https://learn.microsoft.com/en-us/training/modules/configure-log-analytics/5-structure-queries to learn about KQL and found out examples of "Aggregate content" and "Chain operators" in this article, but I am unable to understand its usage.

Basically the question in "Aggregate content" is that we have used:

StormEvent | summarize count(), avg(severity) by type, region so ideally this query should return 4 columns but it only returns 3?

Similarly in "Chain operators"

StormEvent
| where (EventLevelName == "Below")
| where (TimeGenerated > ago(14days))
| summarize StormEvent = count(), desc 

we are using "StormEvent = count()" which is confusing, we just wanted here count and then sort it desc.

Need your help to clarify this.

Thanks

This question is related to the following Learning Module

Answer 1

Hi Devesh,

Gratitude for your understanding.

We've reached out to the content author and received confirmation that they have revised the script.

Please feel free to contact us if you have any additional questions.

I will probably just remove the content and add a pointer to this learning path - Analyze monitoring data with Kusto Query Language - Training | Microsoft Learn. This monitoring module was not intended to provide in-depth coverage of KQL. This was just supposed to be a simple example, so I'll likely remove it. 

If you've found the provided answer helpful, please click the "Accept Answer/Upvote" button. This will be beneficial to other members of the Microsoft Q&A forum community.

Thank you.