azure-data-explorerkqlazure-sentinel
Summarize 2 sets into 1 set per user KQL
What would be the proper way to summarize 2 sets into 1 set by user?
For example, in the picture below:
I want to create a new set (the column that has the question mark) combining the X_locations and Y_Locations columns by User.
I did try strcat_array, but I am not sure those results will work, is anyone aware of a proper way to do this?, I envision something like this?:
| summarize whateverSetUnionFunctionHere(X_Locations,Y_Locations) by User
Solution
It seems you are looking for the combination of @Avnera & @Yoni K. answers
datatable(User:string, X_locations:dynamic, Y_locations:dynamic)
[
"user1", dynamic(["a"]), dynamic(["a"]),
"user2", dynamic(["b","c"]), dynamic(["c"]),
"user2", dynamic(["b"]), dynamic(["b","d"]),
]
| summarize make_set(set_union(X_locations, Y_locations)) by User
| User | set_ |
|---|---|
| user1 | ["a"] |
| user2 | ["b","c","d"] |
P.S.
There are multiple variations for that, E.g. set_union could be replaced by array_concat
- Create a function to calculate power of tens with a loop and reuse them in another query
- Generate Chart by Type and State
- Azure Data Explorer C# querying and ORM
- Is it possible to update rows in Azure Data Explorer (Kusto)
- Kusto query for time between records by group in one result list
- Build a tree / run recursive query in Kusto Azure Data Explorer
- Where do Kusto dashboard definitions live
- insert an array in column of the kql table
- Stuck at PIM Diagnostics via KQL
- Grouping on the basis of cumulative sum
- How to use table alias in KQL query
- Can I use Azure Data Explorer (Kusto) to query data (such as groups) in Microsoft Entra Admin Center?
- Restrict all table and function except specific table
- Extract query string from url
- Spark-Kusto connector writestream writes only 1 batch and then goes idle
- how to convert the rows into columns in Azure Data Explorer (Kusto)
- String function not parsing all characters
- free disk space overview using InsightsMetrics
- Time difference between separate rows in same table
- How to create a Kusto Client using Synapse Managed Identity
- Summarize count() multiple columns with where clauses
- Merging multiple rows into a variable in json format
- Kusto (KQL), How to pivot event rows that are grouped into single lines (by user and day), including event start and end times?
- How to efficiently find if any field changed in a Kusto table?
- azure kusto query using azure data explorer
- Why does "summarize count()" on a stored query result always give 0?
- Exporting query from Azure Data Explorer to Power BI fails for Application Insights Cluster
- Updating a follower cluster configuration - limiting tables
- Percentile at day to day and Percentile Week Level on top of day level Percentile
- Azure Data Explorer not storing json