Search code examples
kqlazure-log-analytics

display column even when. the count is zero/does not appear

I am trying to summarize a few events based on EIDs, but the result is only displaying for eve_1 and not eve_2 since (based on my data) since eve_2 count is 0.

How can I display eve_2 even when the count is 0 in this case?

Table 
| where DateTime > ago(7d) 
| where EID in (11, 22, 33)
| extend
Evet_cat = case(EID in (11 22), "eve_1", 
                EID == 33, "eve_2",
                "others"
                ),
Date_time = format_datetime(DateTime, 'yyyy-MM-dd HH')
| summarize count() by Date_time, Evet_cat
| order by Date_time desc

How can I make sure both eve_1 and eve_2 are displayed even if their count is 0?

Update: I realize my wording of the question may be wrong. What I'm looking for is that. I'm trying to set a default (0) for any column that does not have a count, if there is a count, that should be displayed as usual.

So, something like:

|   Date_time   | Evet_cat | count_ |
|---------------|----------|--------|
| 2023-02-24 13 | eve_1    |     10 |
| 2023-02-24 13 | eve_2    |      0 |
| 2023-02-24 12 | eve_1    |      5 |
| 2023-02-24 12 | eve_2    |      0 |

the original query I had would have produced something like this:

|   Date_time   | Evet_cat | count_ |
|---------------|----------|--------|
| 2023-02-24 13 | eve_1    |     10 |
| 2023-02-24 12 | eve_1    |      5 |

Ultimately, I am looking to get the data to display like this:

|   Date_time   | eve_1    | eve_2  |
|---------------|----------|--------|
| 2023-02-24 13 |    10    |      0 |
| 2023-02-24 12 |     5    |      0 |
Solution 
  • // Sample data generation. Not part of the solution.
let Table = materialize(range i from 1 to 200 step 1 | extend DateTime = ago(7d * rand()), EID = tolong((rand(3) + 1) * 11));
// Solution starts here.
Table 
| where DateTime > ago(7d) 
| where EID in (11, 22, 33)
| extend Evet_cat = case(EID in (11, 22), "eve_1", EID == 33, "eve_2", "others")
        ,Date_time = format_datetime(DateTime, 'yyyy-MM-dd HH')
| evaluate pivot(Evet_cat, count(), Date_time)
    Date_time eve_1 eve_2
    2023-02-17 20 0 2
    2023-02-22 23 1 1
    2023-02-23 23 1 2
    2023-02-18 11 0 1
    2023-02-18 08 1 3
    2023-02-22 08 2 0
    2023-02-21 14 2 0
    2023-02-18 17 2 1
    2023-02-19 17 2 0
    2023-02-24 10 1 0
    2023-02-23 12 3 1
    ... ... ...
    2023-02-24 03 1 0
    2023-02-23 01 1 0
    2023-02-22 15 0 1
    2023-02-20 08 1 0
    2023-02-20 00 0 1

    Fiddle