make_bag_if() (aggregation function)
Applies to: ✅ Azure Data Explorer ✅ Azure Monitor ✅ Microsoft Sentinel
Creates a dynamic
JSON property bag (dictionary) of expr values in records for which predicate evaluates to true
.
Null values are ignored and don't factor into the calculation.
Note
This function is used in conjunction with the summarize operator.
Syntax
make_bag_if(
expr,
predicate [,
maxSize])
Learn more about syntax conventions.
Parameters
Name | Type | Required | Description |
---|---|---|---|
expr | dynamic |
✔️ | The expression used for the aggregation calculation. |
predicate | bool |
✔️ | The predicate that evaluates to true , in order for expr to be added to the result. |
maxSize | int |
The limit on the maximum number of elements returned. The default and max value is 1048576. |
Returns
Returns a dynamic
JSON property bag (dictionary) of expr values in records for which predicate evaluates to true
. Non-dictionary values will be skipped.
If a key appears in more than one row, an arbitrary value, out of the possible values for this key, will be selected.
Note
This function without the predicate is similar to make_bag
.
Example
The following example shows a packed JSON property bag.
let T = datatable(prop:string, value:string, predicate:bool)
[
"prop01", "val_a", true,
"prop02", "val_b", false,
"prop03", "val_c", true
];
T
| extend p = bag_pack(prop, value)
| summarize dict=make_bag_if(p, predicate)
Output
dict |
---|
{ "prop01": "val_a", "prop03": "val_c" } |
Use bag_unpack() plugin for transforming the bag keys in the make_bag_if() output into columns.
let T = datatable(prop:string, value:string, predicate:bool)
[
"prop01", "val_a", true,
"prop02", "val_b", false,
"prop03", "val_c", true
];
T
| extend p = bag_pack(prop, value)
| summarize bag=make_bag_if(p, predicate)
| evaluate bag_unpack(bag)
Output
prop01 | prop03 |
---|---|
val_a | val_c |