make_bag() (aggregation function)

Applies to: ✅ Azure Data ExplorerAzure MonitorMicrosoft Sentinel

Creates a dynamic JSON property bag (dictionary) of all the values of expr in the group.

Null values are ignored and don't factor into the calculation.

Note

This function is used in conjunction with the summarize operator.

Syntax

make_bag (expr [, maxSize])

Learn more about syntax conventions.

Parameters

Name Type Required Description
expr dynamic ✔️ The expression used for the aggregation calculation.
maxSize int The limit on the maximum number of elements returned. The default and max value is 1048576.

Note

make_dictionary() has been deprecated in favor of make_bag(). The legacy version has a default maxSize limit of 128.

Returns

Returns a dynamic JSON property bag (dictionary) of all the values of Expr in the group, which are property bags. Non-dictionary values will be skipped. If a key appears in more than one row, an arbitrary value, out of the possible values for this key, will be selected.

Example

The following example shows a packed JSON property bag.

let T = datatable(prop:string, value:string)
[
    "prop01", "val_a",
    "prop02", "val_b",
    "prop03", "val_c",
];
T
| extend p = bag_pack(prop, value)
| summarize dict=make_bag(p)

Output

dict
{ "prop01": "val_a", "prop02": "val_b", "prop03": "val_c" }

Use the bag_unpack() plugin for transforming the bag keys in the make_bag() output into columns.

let T = datatable(prop:string, value:string)
[
    "prop01", "val_a",
    "prop02", "val_b",
    "prop03", "val_c",
];
T
| extend p = bag_pack(prop, value)
| summarize bag=make_bag(p)
| evaluate bag_unpack(bag)

Output

prop01 prop02 prop03
val_a val_b val_c

bag_unpack().