Contribute in GitHub:
Edit online
make_set() (aggregation function)
Returns a dynamic (JSON) array of the set of distinct values that Expr takes in the group.
- Can be used only in context of aggregation inside summarize
Syntax
make_set (Expr [, MaxSize])
Arguments
- Expr: Expression for aggregation calculation.
- MaxSize is an optional integer limit on the maximum number of elements returned (default is 1048576). MaxSize value cannot exceed 1048576.
Returns
Returns a dynamic (JSON) array of the set of distinct values that Expr takes in the group. The array's sort order is undefined.
Note:
To only count distinct values, use dcount()
Example
events
| project original_time, data_source_name, name, user_id
//--- Search for the last 5 minutes of data
| where original_time > ago(15m)
//--- USER Criteria Here
| summarize Categories=make_set(data_source_name) by user_id
| take 2
Results
Results shown with ... contains the list of Data Sources associated ith the user_id
| user_id | Categories |
|---|---|
| name1 | Trend Micro Deep Security @ trendMicroDeepSecuritySource, ..., Cisco Firepower Threat Defense @ 172.17.254.93 |
| user2 | Juniper JunOS Family of Devices @ gnuLinuxSource2, Juniper JunOS Family of Devices @ gnuLinuxSource3,..., |
See also
- mv-expand operator for the opposite function.
- make_set_if operator is similar to
make_set, except it also accepts a predicate.