project operator

Syntax

T | project ColumnName [= Expression] [, ...]

or

T | project [ColumnName | (ColumnName[,]) =] Expression [, ...]

Arguments

• T: The input table.

• ColumnName: Optional name of a column to appear in the output. If there is no Expression, then ColumnName is mandatory and a column of that name must appear in the input. If omitted, the name will be automatically generated. If Expression returns more than one column, a list of column names can be specified in parentheses. In this case Expression's output columns will be given the specified names, dropping all the rest of the output columns, if there are any. If a list of the column names is not specified, all Expression's output columns with generated names will be added to the output.

• Expression: Optional scalar expression referencing the input columns. If ColumnName is not omitted then Expression is mandatory.

  It is legal to return a new calculated column with the same name as an existing column in the input.

Returns

A table that has the columns named as arguments, and as many rows as the input table.

Example

The following example shows several kinds of manipulations that can be done using the project operator. The input table events has columns of type long which represent the time (original_time) an event was generated in milliseconds from the originating device, an ip address as a string which are both projected, named and used to show how they can be used to create derived columns.

events
  | project original_time,
            original_time_formatted_1min_buckets = bin(original_time, 60s),
            src_ip,
            string_ip= tostring(src_ip),
            hello_user_ip = strcat("hello world: ", string_ip),
            elapsed_time = now() - original_time,
            not_so_random_number = 5*10+64.45,
            not_so_random_timespan = not_so_random_number * 5d
  | where original_time > ago(10d) and  isnotempty(src_ip) == 1
  | take 1