buildschema() (aggregation function)
Applies to: ✅ Azure Data Explorer ✅ Azure Monitor ✅ Microsoft Sentinel
Builds the minimal schema that admits all values of DynamicExpr.
Note
This function is used in conjunction with the summarize operator.
Syntax
buildschema
(
DynamicExpr)
Learn more about syntax conventions.
Parameters
Name | Type | Required | Description |
---|---|---|---|
DynamicExpr | dynamic |
✔️ | Expression used for the aggregation calculation. |
Returns
Returns the minimal schema that admits all values of DynamicExpr.
Tip
If the input is a JSON string, use the parse_json() function to convert the JSON to a dynamic value. Otherwise, an error may occur.
Example
The following example builds a schema based on:
{"x":1, "y":3.5}
{"x":"somevalue", "z":[1, 2, 3]}
{"y":{"w":"zzz"}, "t":["aa", "bb"], "z":["foo"]}
datatable(value: dynamic) [
dynamic({"x":1, "y":3.5}),
dynamic({"x":"somevalue", "z":[1, 2, 3]}),
dynamic({"y":{"w":"zzz"}, "t":["aa", "bb"], "z":["foo"]})
]
| summarize buildschema(value)
Results
schema_value |
---|
{"x":["long","string"],"y":["double",{"w":"string"}],"z":{"indexer ":["long","string"]},"t":{"indexer ":"string"}} |
The resulting schema tells us that:
- The root object is a container with four properties named x, y, z, and t.
- The property called
x
is of type long or of type string. - The property called
y
ii of type double, or another container with a property calledw
of type string. - The
indexer
keyword indicates thatz
andt
are arrays. - Each item in the array
z
is of type long or of type string. t
is an array of strings.- Every property is implicitly optional, and any array may be empty.
Schema model
The syntax of the returned schema is:
Container ::= '{' Named-type* '}';
Named-type: := (name | '"indexer
"') ':' Type;
Type ::= Primitive-type | Union-type | Container;
Union-type ::= '[' Type* ']';
Primitive-type ::= "long" | "string" | ...;
The values are equivalent to a subset of TypeScript type annotations, encoded as a Kusto dynamic value. In TypeScript, the example schema would be:
var someobject:
{
x?: (number | string),
y?: (number | { w?: string}),
z?: { [n:number] : (long | string)},
t?: { [n:number]: string }
}