make_bag() (aggregation function)
Applies to: ✅ Azure Data Explorer ✅ Azure Monitor ✅ Microsoft Sentinel
Creates a dynamic
JSON property bag (dictionary) of all the values of expr in the group.
Null values are ignored and don't factor into the calculation.
Note
This function is used in conjunction with the summarize operator.
Syntax
make_bag
(
expr [,
maxSize])
Learn more about syntax conventions.
Parameters
Name | Type | Required | Description |
---|---|---|---|
expr | dynamic |
✔️ | The expression used for the aggregation calculation. |
maxSize | int |
The limit on the maximum number of elements returned. The default and max value is 1048576. |
Note
make_dictionary()
has been deprecated in favor of make_bag()
. The legacy version has a default maxSize limit of 128.
Returns
Returns a dynamic
JSON property bag (dictionary) of all the values of Expr in the group, which are property bags. Non-dictionary values will be skipped.
If a key appears in more than one row, an arbitrary value, out of the possible values for this key, will be selected.
Example
The following example shows a packed JSON property bag.
let T = datatable(prop:string, value:string)
[
"prop01", "val_a",
"prop02", "val_b",
"prop03", "val_c",
];
T
| extend p = bag_pack(prop, value)
| summarize dict=make_bag(p)
Output
dict |
---|
{ "prop01": "val_a", "prop02": "val_b", "prop03": "val_c" } |
Use the bag_unpack() plugin for transforming the bag keys in the make_bag() output into columns.
let T = datatable(prop:string, value:string)
[
"prop01", "val_a",
"prop02", "val_b",
"prop03", "val_c",
];
T
| extend p = bag_pack(prop, value)
| summarize bag=make_bag(p)
| evaluate bag_unpack(bag)
Output
prop01 | prop02 | prop03 |
---|---|---|
val_a | val_b | val_c |