Any idea if we can run different subqueries based on iff or case in Kusto. For example like this:
let logtype = 0;//1
let query1 = stormEvents1
| project Message
| take 1;
let query2 = stormEvents2
| project Message
| take 1;
iff(logtype == 0, query1, query2); // Syntax error
As of today, there are no control flow statements in KQL.
That said, we can acheive similar behavior using union.
let logtype = 0;//1
let query1 = StormEvents
| project Source
| take 1;
let query2 = StormEvents
| project EventType
| take 1;
union (query1 | where logtype == 0)
,(query2 | where logtype == 1)
| Source | EventType |
|---|---|
| Trained Spotter |