question

Benjamin Golinvaux avatar image
Benjamin Golinvaux asked

Ability to use aggregate in Kusto queries for custom events?

Hello

I am able to use aggregate in queries for event "standard" keys, for instance:

['events.all'] | summarize count() by Entity_Type

(fictional query)

but if I try to use:

['events.all'] | summarize count() by EventData.inner_data.MyCustomDataField

(that is a string with separate discrete values), I receive and error.

Is there a way to perform such aggregation?

The alternative is to use a simple non-aggregate count with various "where" clauses that list all the possible combinations, which is very very slow.

Thanks in advance!

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Made Wang avatar image
Made Wang answered

The value in the body of EventData is in JSON format by default, you need to manually convert it to a string. As follows.

['events.all'] 
| summarize count() by tostring(EventData.inner_data.MyCustomDataField)

This worked in my tests, if this doesn't work for you, please provide some steps to reproduce.

1 comment
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Benjamin Golinvaux avatar image Benjamin Golinvaux commented ·

It works! thank you very much :)

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.