Say I have an exceptions table which I know contains some data like the below, where details is a dynamic object
| operation_id | details |
|---|---|
| 1 | {"cause": "sometext"} |
| 1 | {"other_info": 240} |
| 1 | {"message": "blabal" } |
| 2 | {"cause": "some other text"} |
| 2 | {"other_info": 88} |
| 2 | {"message": "blabal2" } |
How can I query these results to be grouped by operation_id, but somehow aggregate everying in the details column, perhaps something like
| operation_id | details_1 | details_2 | details_3 |
|---|---|---|---|
| 1 | {"cause": "sometext"} | {"other_info": 240} | {"message": "blabal" } |
| 2 | {"cause": "some other text"} | {"other_info": 88} | {"message": "blabal2" } |
or even just join all details into a single column
I tried doing it with summarize, but it just shows each entry on a separate line (since each details is unique):
exceptions
| where timestamp > now() - 10m
| summarize by operation_Id, dynamic_to_json(['details'])
Does anyone have any advice about this?
you can use the make_bag() aggregation function.
for example:
datatable(operation_id:int, details:dynamic)
[
1, dynamic({"cause": "sometext"}),
1, dynamic({"other_info": 240}),
1, dynamic({"message": "blabal" }),
2, dynamic({"cause": "some other text"}),
2, dynamic({"other_info": 88}),
2, dynamic({"message": "blabal2" }),
]
| summarize details = make_bag(details) by operation_id
| operation_id | details |
|---|---|
| 1 | { "cause": "sometext", "other_info": 240, "message": "blabal" } |
| 2 | { "cause": "some other text", "other_info": 88, "message": "blabal2" } |