make_list_if() (aggregation function)

Applies to: ✅ Azure Data ExplorerAzure MonitorMicrosoft Sentinel

Creates a dynamic array of expr values in the group for which predicate evaluates to true.

Null values are ignored and don't factor into the calculation.

Note

This function is used in conjunction with the summarize operator.

Syntax

make_list_if(expr, predicate [, maxSize])

Learn more about syntax conventions.

Parameters

Name Type Required Description
expr string ✔️ The expression used for the aggregation calculation.
predicate string ✔️ A predicate that has to evaluate to true in order for expr to be added to the result.
maxSize integer The maximum number of elements returned. The default and max value is 1048576.

Returns

Returns a dynamic array of expr vlaues in the group for which predicate evaluates to true. If the input to the summarize operator isn't sorted, the order of elements in the resulting array is undefined. If the input to the summarize operator is sorted, the order of elements in the resulting array tracks that of the input.

Example

The following example shows a list of names with more than 4 letters.

let T = datatable(name:string, day_of_birth:long)
[
   "John", 9,
   "Paul", 18,
   "George", 25,
   "Ringo", 7
];
T
| summarize make_list_if(name, strlen(name) > 4)

Output

list_name
["George", "Ringo"]

make_list function, which does the same, without predicate expression.