buildschema() (aggregation function)

Applies to: ✅ Azure Data ExplorerAzure MonitorMicrosoft Sentinel

Builds the minimal schema that admits all values of DynamicExpr.

Note

This function is used in conjunction with the summarize operator.

Syntax

buildschema (DynamicExpr)

Learn more about syntax conventions.

Parameters

Name Type Required Description
DynamicExpr dynamic ✔️ Expression used for the aggregation calculation.

Returns

Returns the minimal schema that admits all values of DynamicExpr.

Tip

If the input is a JSON string, use the parse_json() function to convert the JSON to a dynamic value. Otherwise, an error may occur.

Example

The following example builds a schema based on:

  • {"x":1, "y":3.5}
  • {"x":"somevalue", "z":[1, 2, 3]}
  • {"y":{"w":"zzz"}, "t":["aa", "bb"], "z":["foo"]}
datatable(value: dynamic) [
    dynamic({"x":1, "y":3.5}),
    dynamic({"x":"somevalue", "z":[1, 2, 3]}),
    dynamic({"y":{"w":"zzz"}, "t":["aa", "bb"], "z":["foo"]})
]
| summarize buildschema(value)

Results

schema_value
{"x":["long","string"],"y":["double",{"w":"string"}],"z":{"indexer":["long","string"]},"t":{"indexer":"string"}}

The resulting schema tells us that:

  • The root object is a container with four properties named x, y, z, and t.
  • The property called x is of type long or of type string.
  • The property called y ii of type double, or another container with a property called w of type string.
  • The indexer keyword indicates that z and t are arrays.
  • Each item in the array z is of type long or of type string.
  • t is an array of strings.
  • Every property is implicitly optional, and any array may be empty.

Schema model

The syntax of the returned schema is:

Container ::= '{' Named-type* '}'; Named-type: := (name | '"indexer"') ':' Type; Type ::= Primitive-type | Union-type | Container; Union-type ::= '[' Type* ']'; Primitive-type ::= "long" | "string" | ...;

The values are equivalent to a subset of TypeScript type annotations, encoded as a Kusto dynamic value. In TypeScript, the example schema would be:

var someobject:
{
    x?: (number | string),
    y?: (number | { w?: string}),
    z?: { [n:number] : (long | string)},
    t?: { [n:number]: string }
}