make_bag_if() (aggregation function)

Applies to: ✅ Azure Data ExplorerAzure MonitorMicrosoft Sentinel

Creates a dynamic JSON property bag (dictionary) of expr values in records for which predicate evaluates to true.

Null values are ignored and don't factor into the calculation.

Note

This function is used in conjunction with the summarize operator.

Syntax

make_bag_if(expr, predicate [, maxSize])

Learn more about syntax conventions.

Parameters

Name Type Required Description
expr dynamic ✔️ The expression used for the aggregation calculation.
predicate bool ✔️ The predicate that evaluates to true, in order for expr to be added to the result.
maxSize int The limit on the maximum number of elements returned. The default and max value is 1048576.

Returns

Returns a dynamic JSON property bag (dictionary) of expr values in records for which predicate evaluates to true. Non-dictionary values will be skipped. If a key appears in more than one row, an arbitrary value, out of the possible values for this key, will be selected.

Note

This function without the predicate is similar to make_bag.

Example

The following example shows a packed JSON property bag.

let T = datatable(prop:string, value:string, predicate:bool)
[
    "prop01", "val_a", true,
    "prop02", "val_b", false,
    "prop03", "val_c", true
];
T
| extend p = bag_pack(prop, value)
| summarize dict=make_bag_if(p, predicate)

Output

dict
{ "prop01": "val_a", "prop03": "val_c" }

Use bag_unpack() plugin for transforming the bag keys in the make_bag_if() output into columns.

let T = datatable(prop:string, value:string, predicate:bool)
[
    "prop01", "val_a", true,
    "prop02", "val_b", false,
    "prop03", "val_c", true
];
T
| extend p = bag_pack(prop, value)
| summarize bag=make_bag_if(p, predicate)
| evaluate bag_unpack(bag)

Output

prop01 prop03
val_a val_c