Contribute in GitHub:
Edit online
count_distinctif() (aggregation function)
Conditionally counts unique values specified by the scalar expression per summary group, or the total number of unique values if the summary group is omitted. Only records for which Predicate evaluates to true are counted.
If you only need an estimation of unique values count, we recommend using the less resource-consuming dcountif aggregation function.
Syntax
count_distinctif (Expr, Predicate)
Arguments
| Name | Type | Required | Description |
|---|---|---|---|
| exp | scalar | ✓ | A scalar expression whose unique values are to be counted. |
| Predicate | string | ✓ | Expression that is used to filter records to be aggregated. |
Returns
Long integer value indicating the number of unique values of Expr per summary group, for all records for which the Predicate evaluates to true.
Example
This example shows how many distinct src_ip are associated to each unique event name. In this case, we only count if the name contains the text Group Policy. The other records are still processed and added
to the result, but the aggregation is not performed.
events
| project name, severity, original_time, src_ip
| where original_time > ago(24h)
| where severity > 6 and isnotempty(name) and isnotempty(src_ip)
| summarize SrcIpCount=count_distinctif(src_ip, name contains "Group Policy") by Name=name
| order by SrcIpCount desc
| take 10
Results
| Name | SrcIpCount |
|---|---|
| The processing of Group Policy failed | 69049896 |
| Content Protection Violation | 0 |
| Web Server Enforcement Violation | 0 |
| Openfire Jabber server authentication bypass | 0 |
| Deny protocol reverse path check | 0 |
| Module Logging Command Invocation | 0 |
| ThinkPHP Remote Code Execution Vulnerability | 0 |
| Generic HTTP Cross Site Scripting Attempt | 0 |
| WAN Acceleration Receive Event | 0 |
| Adobe Products Violation | 0 |