pivot plugin

Learn how to use the pivot plugin to rotate a table with specified columns and aggregates the remaining columns.

Rotates a table by turning the unique values from one column in the input table into multiple columns in the output table and performs aggregations as required on any remaining column values that will appear in the final output.

Syntax

T | evaluate pivot(pivotColumn[, aggregationFunction] [,column1 [,column2]]) [: OutputSchema]

Parameters

NameTypeRequiredDescription
pivotColumnstring✔️The column to rotate. Each unique value from this column will be a column in the output table.
aggregationFunctionstringAn aggregation function used to aggregate multiple rows in the input table to a single row in the output table. Currently supported functions: min(), max(), take_any(), sum(), dcount(), avg(), stdev(), variance(), make_list(), make_bag(), make_set(), count(). The default is count().
column1, column2, …stringA column name or comma-separated list of column names. The output table will contain an additional column per each specified column. The default is all columns other than the pivoted column and the aggregation column.
OutputSchemaThe names and types for the expected columns of the pivot plugin output.

Syntax: ( ColumnName : ColumnType [, …] )

Specifying the expected schema optimizes query execution by not having to first run the actual query to explore the schema. An error is raised if the run-time schema doesn’t match the OutputSchema schema.

Returns

Pivot returns the rotated table with specified columns (column1, column2, …) plus all unique values of the pivot columns. Each cell for the pivoted columns will contain the aggregate function computation.

Examples

Pivot by a column

For each EventType and State starting with ‘AL’, count the number of events of this type in this state.

StormEvents
| project State, EventType
| where State startswith "AL"
| where EventType has "Wind"
| evaluate pivot(State)

Output

EventTypeALABAMAALASKA
Thunderstorm Wind3521
High Wind095
Extreme Cold/Wind Chill010
Strong Wind220

Pivot by a column with aggregation function

For each EventType and State starting with ‘AR’, display the total number of direct deaths.

StormEvents
| where State startswith "AR"
| project State, EventType, DeathsDirect
| where DeathsDirect > 0
| evaluate pivot(State, sum(DeathsDirect))

Output

EventTypeARKANSASARIZONA
Heavy Rain10
Thunderstorm Wind10
Lightning01
Flash Flood06
Strong Wind10
Heat30

Pivot by a column with aggregation function and a single additional column

Result is identical to previous example.

StormEvents
| where State startswith "AR"
| project State, EventType, DeathsDirect
| where DeathsDirect > 0
| evaluate pivot(State, sum(DeathsDirect), EventType)

Output

EventTypeARKANSASARIZONA
Heavy Rain10
Thunderstorm Wind10
Lightning01
Flash Flood06
Strong Wind10
Heat30

Specify the pivoted column, aggregation function, and multiple additional columns

For each event type, source, and state, sum the number of direct deaths.

StormEvents
| where State startswith "AR"
| where DeathsDirect > 0
| evaluate pivot(State, sum(DeathsDirect), EventType, Source)

Output

EventTypeSourceARKANSASARIZONA
Heavy RainEmergency Manager10
Thunderstorm WindEmergency Manager10
LightningNewspaper01
Flash FloodTrained Spotter02
Flash FloodBroadcast Media03
Flash FloodNewspaper01
Strong WindLaw Enforcement10
HeatNewspaper30

Pivot with a query-defined output schema

The following example selects specific columns in the StormEvents table. It uses an explicit schema definition that allows various optimizations to be evaluated before running the actual query.

StormEvents
| project State, EventType
| where EventType has "Wind"
| evaluate pivot(State): (EventType:string, ALABAMA:long, ALASKA:long)

Output

EventTypeALABAMAALASKA
Thunderstorm Wind3521
High Wind095
Marine Thunderstorm Wind00
Strong Wind220
Extreme Cold/Wind Chill010
Cold/Wind Chill00
Marine Strong Wind00
Marine High Wind00