Contribute in GitHub:
Edit online
count_distinct() (aggregation function)
Counts unique values specified by the scalar expression per summary group, or the total number of unique values if the summary group is omitted.
To count only records for which a predicate returns true, use the count_distinctif aggregation function.
Syntax
count_distinct (Expr)
Arguments
| Name | Type | Required | Description |
|---|---|---|---|
| exp | scalar | ✓ | A scalar expression whose unique values are to be counted. |
Returns
Long integer value indicating the number of unique values of Expr per summary group.
Example
This example shows how many distinct src_ip are associated to each unique event name
events
| project name, severity, original_time, src_ip
| where original_time > ago(24h)
| where severity > 6 and isnotempty(name) and isnotempty(src_ip)
| summarize SrcIpCount=count_distinct(src_ip) by Name=name
| order by SrcIpCount desc
| take 10
Results
| Name | SrcIpCount |
|---|---|
| The processing of Group Policy failed | 69049896 |
| Content Protection Violation | 3675644 |
| Web Server Enforcement Violation | 746333 |
| Openfire Jabber server authentication bypass | 69486 |
| Deny protocol reverse path check | 50203 |
| Module Logging Command Invocation | 32767 |
| ThinkPHP Remote Code Execution Vulnerability | 16729 |
| Generic HTTP Cross Site Scripting Attempt | 8192 |
| WAN Acceleration Receive Event | 4196 |
| Adobe Products Violation | 2048 |