Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to write Kusto query to get results in one table?

Tags:

azure-data-explorer

kql

I have 2 KQL queries and I want to combine them in order to display two rows as one result. Not just result of first query, then result of second query: 

R_CL
| where isnotempty(SrcIP_s) 
| project Message 
| take 1;

R_CL
| where isempty(SrcIP_s) 
| project Message 
| take 1

See sample R_L below.I would like to see 2 rows as result, one with SrcIP_s not empty, and the second with SrcIP_s empty (in this case it will be always same one)

let R_CL = datatable ( SrcIP_s:string, Message:string)
["1.1.1.1" ,"one",
"" ,"two",
"2.2.2.2","three",
"3.3.3.3","four"];
R_CL
| project SrcIP_s, Message
like image 794
irom Avatar asked Apr 05 '19 15:04

irom

People also ask

How do you query with kusto?

Assign a result to a variable: let In Kusto Explorer, to execute the entire query, don't add blank lines between parts of the query. Any two statements must be separated by a semicolon.

How do you write a subquery in kusto?

Building the sub-query In Kusto, sub-queries have some similarities with CTEs: We use the statement LET to define a name for a sub-query. After that, we can user this query by name on our main query. As you may be imagining, we can create as many sub-queries as we would like in a single Kusto query.

How do I write a KQL query?

To specify a phrase in a KQL query, you must use double quotation marks. KQL queries don't support suffix matching, so you can't use the wildcard operator before a phrase in free-text queries. However, you can use the wildcard operator after a phrase.

2 Answers

I know this is an old request - but here's a sample query using views and a union for your single query:

Your two separate queries...

R_CL
| where isnotempty(SrcIP_s) 
| project Message 
| take 1;

R_CL
| where isempty(SrcIP_s) 
| project Message 
| take 1

would become:

let Query1 = view () {
R_CL
| where isnotempty(SrcIP_s) 
| project Message 
| take 1;
};
let Query2 = view () {
R_CL
| where isempty(SrcIP_s) 
| project Message 
| take 1
};    
union withsource="TempTableName" Query1, Query2
like image 146
Kurt P Avatar answered Nov 09 '22 19:11

Kurt P

A simple solution for this would be to use the union operator like this:

let query1 = R_CL
    | where isnotempty(SrcIP_s) 
    | project Message 
    | take 1;

let query2 = R_CL
    | where isempty(SrcIP_s) 
    | project Message 
    | take 1;

query1
| union query2;
like image 45
Jules Avatar answered Nov 09 '22 18:11

Jules
Sign in to Comment

Related questions

Kusto/KQL: summarize by time bucket AND count(string) column
How do I get one record per day for the last 30 days for each unique ID in Kusto?
How to remove time part from a datetime in Kusto
Kusto create an in-memory table for testing
Kusto Query from c#
How to comment lines in Kusto language [duplicate]
Azure Data Explorer (ADX) vs Polybase vs Databricks
Kusto | Summarize count() multiple columns with where clauses
Is it possible to mult-line comment in Kusto?
Kusto !has_any | where value does not contain any value in set
Power M Query/Kusto take first from group
How to scale a data series on a Kusto timechart
Meaning of Kusto CSL acronym
How do I print a tree using the Kusto Query Language?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!