Contribute in GitHub:
Edit online
make_set_if() (aggregation function)
Returns a dynamic (JSON) array of the set of distinct values that Expr takes in the group, for which Predicate evaluates to true.
- Can be used only in context of aggregation inside summarize
Syntax
make_set_if (Expr, Predicate [, MaxSize])
Arguments
- Expr: Expression that will be used for aggregation calculation.
- Predicate: Predicate that has to evaluate to
truefor Expr to be added to the result. - MaxSize is an optional integer limit on the maximum number of elements returned (default is 1048576). MaxSize value cannot exceed 1048576.
Returns
Returns a dynamic (JSON) array of the set of distinct values that Expr takes in the group, for which Predicate evaluates to true. The array's sort order is undefined.
Note
To only count the distinct values, use dcountif()
See also
make_set function, which does the same, without predicate expression.
Example
events
| project original_time, data_source_name, name, user_id, severity
//--- Search for the last 5 minutes of data
| where original_time > ago(30d)
//--- USER Criteria Here
| summarize Score= make_set_if(severity, severity < 10) by user=isnotempty(user_id)
| take 2
Results
| user | Score |
|---|---|
| 0 | 8, 3, 9, 7, 2, 1, 6, 5, 4 |
| 1 | 8, 3, 9, 7, 2, 1, 6, 4, 5 |