take_anyif() (aggregation function)
Applies to: ✅ Azure Data Explorer ✅ Azure Monitor ✅ Microsoft Sentinel
Arbitrarily selects one record for each group in a summarize operator in records for which the predicate is 'true'. The function returns the value of an expression over each such record.
This function is useful when you want to get a sample value of one column per value of the compound group key, subject to some predicate that is true. If such a value is present, the function attempts to return a non-null/non-empty value.
Deprecated aliases: anyif()
Note
The deprecated version adds any_
prefix to the columns returned by the any()
aggregation.
Syntax
take_anyif(
expr,
predicate )
Learn more about syntax conventions.
Parameters
Name | Type | Required | Description |
---|---|---|---|
expr | string |
✔️ | The expression used for selecting a record. |
predicate | string |
✔️ | Indicates which records may be considered for evaluation. |
Returns
The take_anyif
aggregation function returns the value of the expression calculated
for each of the records randomly selected from each group of the summarize operator. Only records for which predicate returns 'true' may be selected. If the predicate doesn't return 'true', a null value is produced.
Examples
Pick a random EventType from Storm events, where event description has a key phrase.
StormEvents
| summarize take_anyif(EventType, EventNarrative has 'strong wind')
Output
EventType |
---|
Strong Wind |