facet operator
Applies to: ✅ Azure Data Explorer ✅ Azure Monitor ✅ Microsoft Sentinel
Returns a set of tables, one for each specified column.
Each table specifies the list of values taken by its column.
An additional table can be created by using the with
clause.
Syntax
T | facet by
ColumnName [,
ColumnName2,
...] [with (
filterPipe )
]
Learn more about syntax conventions.
Parameters
Name | Type | Required | Description |
---|---|---|---|
ColumnName | string |
✔️ | The column name, or list of column names, to be summarized. |
filterPipe | string |
A query expression applied to the input table. |
Returns
Multiple tables: one for the with
clause, and one for each column.
Example
StormEvents
| where State startswith "A" and EventType has "Heavy"
| facet by State, EventType
with
(
where StartTime between(datetime(2007-01-04) .. 7d)
| project State, StartTime, Source, EpisodeId, EventType
| take 5
)
The following is the table generated by the with
clause.
State | StartTime | Source | EpisodeId | EventType |
---|---|---|---|---|
ALASKA | 2007-01-04 12:00:00.0000000 | COOP Observer | 2192 | Heavy Snow |
ALASKA | 2007-01-04 15:00:00.0000000 | Trained Spotter | 2192 | Heavy Snow |
ALASKA | 2007-01-04 15:00:00.0000000 | Trained Spotter | 2192 | Heavy Snow |
ALASKA | 2007-01-04 15:00:00.0000000 | Trained Spotter | 2192 | Heavy Snow |
ALASKA | 2007-01-06 18:00:00.0000000 | COOP Observer | 2193 | Heavy Snow |
The following table is the State
facet output table.
State | count_State |
---|---|
ALABAMA | 19 |
ARIZONA | 33 |
ARKANSAS | 1 |
AMERICAN SAMOA | 1 |
ALASKA | 58 |
The following table is the EventType
facet output table.
EventType | count_EventType |
---|---|
Heavy Rain | 34 |
Heavy Snow | 78 |