Contribute in GitHub:
Edit online
extend operator
Create calculated columns and append them to the result set.
events
| project original_time, severity
| where original_time > ago(5m) //--- Search for the last 5 minutes of data
//--- User defined factor using extend
| extend low_rating_factor= (severity * 5 )/2
| where severity < 5
| project low_cred
Syntax
T | extend [ColumnName | (ColumnName[, ...]) =] Expression [, ...]
Arguments
- T: The input tabular result set.
- ColumnName: Optional. The name of the column to add or update. If omitted, the name will be generated. If Expression returns more than one column, a list of column names can be specified in parentheses. In this case Expression's output columns will be given the specified names, dropping the rest of the output columns, if there are any. If a list of the column names is not specified, all Expression's output columns with generated names will be added to the output.
- Expression: A calculation over the columns of the input.
Returns
A copy of the input tabular result set, such that:
- Column names noted by
extendthat already exist in the input are removed and appended as their new calculated values. - Column names noted by
extendthat do not exist in the input are appended as their new calculated values.
Tips
-
The
extendoperator adds a new column to the input result set, which does not have an index. In most cases, if the new column is set to be exactly the same as an existing table column that has an index, Kusto can automatically use the existing index. However, in some complex scenarios this propagation is not done.In such cases, if the goal is to rename a column, use the
project-renameoperator instead.
Example
This example counts all of the events ingested which took more than 1 second to be persisted to the database.
events_all
| project receive_time, storage_time, original_time
| where original_time > ago(5m)
| extend time_in_pipeline_in_ms = storage_time - receive_time
| where time_in_pipeline_in_ms > 1000
| count
Results
| Count |
|---|
| 2901 |