rows_near() plugin

Applies to: ✅ Azure Data Explorer

Finds rows near a specified condition.

The plugin is invoked with the evaluate operator.

Syntax

T | evaluate rows_near(Condition, NumRows, [, RowsAfter ])

Learn more about syntax conventions.

Parameters

Name Type Required Description
T string ✔️ The input tabular expression.
Condition bool ✔️ Represents the condition to find rows around.
NumRows int ✔️ The number of rows to find before and after the condition.
RowsAfter int When specified, overrides the number of rows to find after the condition.

Returns

Every row from the input that is within NumRows from a true Condition, When RowsAfter is specified, returns every row from the input that is NumRows before or RowsAfter after a true Condition.

Example

Find rows with an "Error" State, and returns 2 rows before and after the "Error" record.

datatable (Timestamp:datetime, Value:long, State:string )
[
    datetime(2021-06-01), 1, "Success",
    datetime(2021-06-02), 4, "Success",
    datetime(2021-06-03), 3, "Success",
    datetime(2021-06-04), 11, "Success",
    datetime(2021-06-05), 15, "Success",
    datetime(2021-06-06), 2, "Success",
    datetime(2021-06-07), 19, "Error",
    datetime(2021-06-08), 12, "Success",
    datetime(2021-06-09), 7, "Success",
    datetime(2021-06-10), 9, "Success",
    datetime(2021-06-11), 4, "Success",
    datetime(2021-06-12), 1, "Success",
]
| sort by Timestamp asc 
| evaluate rows_near(State == "Error", 2)

Output

Timestamp Value State
2021-06-05 00:00:00.0000000 15 Success
2021-06-06 00:00:00.0000000 2 Success
2021-06-07 00:00:00.0000000 19 Error
2021-06-08 00:00:00.0000000 12 Success
2021-06-09 00:00:00.0000000 7 Success