facet operator

Applies to: ✅ Azure Data ExplorerAzure MonitorMicrosoft Sentinel

Returns a set of tables, one for each specified column. Each table specifies the list of values taken by its column. An additional table can be created by using the with clause.

Syntax

T | facet by ColumnName [, ColumnName2, ...] [with ( filterPipe )]

Learn more about syntax conventions.

Parameters

Name Type Required Description
ColumnName string ✔️ The column name, or list of column names, to be summarized.
filterPipe string A query expression applied to the input table.

Returns

Multiple tables: one for the with clause, and one for each column.

Example

StormEvents
| where State startswith "A" and EventType has "Heavy"
| facet by State, EventType
    with 
    (
    where StartTime between(datetime(2007-01-04) .. 7d) 
    | project State, StartTime, Source, EpisodeId, EventType
    | take 5
    )

The following is the table generated by the with clause.

State StartTime Source EpisodeId EventType
ALASKA 2007-01-04 12:00:00.0000000 COOP Observer 2192 Heavy Snow
ALASKA 2007-01-04 15:00:00.0000000 Trained Spotter 2192 Heavy Snow
ALASKA 2007-01-04 15:00:00.0000000 Trained Spotter 2192 Heavy Snow
ALASKA 2007-01-04 15:00:00.0000000 Trained Spotter 2192 Heavy Snow
ALASKA 2007-01-06 18:00:00.0000000 COOP Observer 2193 Heavy Snow

The following table is the State facet output table.

State count_State
ALABAMA 19
ARIZONA 33
ARKANSAS 1
AMERICAN SAMOA 1
ALASKA 58

The following table is the EventType facet output table.

EventType count_EventType
Heavy Rain 34
Heavy Snow 78