This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Scalar functions

1: abs()
2: acos()
3: ago()
4: around() function
5: array_concat()
6: array_iff()
7: array_index_of()
8: array_length()
9: array_reverse()
10: array_rotate_left()
11: array_rotate_right()
12: array_shift_left()
13: array_shift_right()
14: array_slice()
15: array_sort_asc()
16: array_sort_desc()
17: array_split()
18: array_sum()
19: asin()
20: assert()
21: atan()
22: atan2()
23: bag_has_key()
24: bag_keys()
25: bag_merge()
26: bag_pack_columns()
27: bag_pack()
28: bag_remove_keys()
29: bag_set_key()
30: bag_zip()
31: base64_decode_toarray()
32: base64_decode_toguid()
33: base64_decode_tostring()
34: base64_encode_fromarray()
35: base64_encode_fromguid()
36: base64_encode_tostring()
37: beta_cdf()
38: beta_inv()
39: beta_pdf()
40: bin_at()
41: bin_auto()
42: bin()
43: binary_and()
44: binary_not()
45: binary_or()
46: binary_shift_left()
47: binary_shift_right()
48: binary_xor()
49: bitset_count_ones()
50: case()
51: ceiling()
52: coalesce()
53: column_ifexists()
54: convert_angle()
55: convert_energy()
56: convert_force()
57: convert_length()
58: convert_mass()
59: convert_speed()
60: convert_temperature()
61: convert_volume()
62: cos()
63: cot()
64: countof()
65: current_cluster_endpoint()
66: current_database()
67: current_principal_details()
68: current_principal_is_member_of()
69: current_principal()
70: cursor_after()
71: cursor_before_or_at()
72: cursor_current()
73: datetime_add()
74: datetime_diff()
75: datetime_list_timezones()
76: datetime_local_to_utc()
77: datetime_part()
78: datetime_utc_to_local()
79: dayofmonth()
80: dayofweek()
81: dayofyear()
82: dcount_hll()
83: degrees()
84: dynamic_to_json()
85: endofday()
86: endofmonth()
87: endofweek()
88: endofyear()
89: erf()
90: erfc()
91: estimate_data_size()
92: exp()
93: exp10()
94: exp2()
95: extent_id()
96: extent_tags()
97: extract_all()
98: extract_json()
99: extract()
100: format_bytes()
101: format_datetime()
102: format_ipv4_mask()
103: format_ipv4()
104: format_timespan()
105: gamma()
106: geo_info_from_ip_address()
107: gettype()
108: getyear()
109: gzip_compress_to_base64_string
110: gzip_decompress_from_base64_string()
111: has_any_ipv4_prefix()
112: has_any_ipv4()
113: has_ipv4_prefix()
114: has_ipv4()
115: hash_combine()
116: hash_many()
117: hash_md5()
118: hash_sha1()
119: hash_sha256()
120: hash_xxhash64()
121: hash()
122: hll_merge()
123: hourofday()
124: iff()
125: indexof_regex()
126: indexof()
127: ingestion_time()
128: ipv4_compare()
129: ipv4_is_in_any_range()
130: ipv4_is_in_range()
131: ipv4_is_match()
132: ipv4_is_private()
133: ipv4_netmask_suffix()
134: ipv4_range_to_cidr_list()
135: ipv6_compare()
136: ipv6_is_in_any_range()
137: ipv6_is_in_range()
138: ipv6_is_match()
139: isascii()
140: isempty()
141: isfinite()
142: isinf()
143: isnan()
144: isnotempty()
145: isnotnull()
146: isnull()
147: isutf8()
148: jaccard_index()
149: log()
150: log10()
151: log2()
152: loggamma()
153: make_datetime()
154: make_timespan()
155: max_of()
156: merge_tdigest()
157: min_of()
158: monthofyear()
159: new_guid()
160: not()
161: now()
162: pack_all()
163: pack_array()
164: parse_command_line()
165: parse_csv()
166: parse_ipv4_mask()
167: parse_ipv4()
168: parse_ipv6_mask()
169: parse_ipv6()
170: parse_json() function
171: parse_path()
172: parse_url()
173: parse_urlquery()
174: parse_user_agent()
175: parse_version()
176: parse_xml()
177: percentile_array_tdigest()
178: percentile_tdigest()
179: percentrank_tdigest()
180: pi()
181: pow()
182: punycode_domain_from_string
183: punycode_domain_to_string
184: punycode_from_string
185: punycode_to_string
186: radians()
187: rand()
188: range()
189: rank_tdigest()
190: regex_quote()
191: repeat()
192: replace_regex()
193: replace_string()
194: replace_strings()
195: reverse()
196: round()
197: Scalar Functions
198: set_difference()
199: set_has_element()
200: set_intersect()
201: set_union()
202: sign()
203: sin()
204: split()
205: sqrt()
206: startofday()
207: startofmonth()
208: startofweek()
209: startofyear()
210: strcat_array()
211: strcat_delim()
212: strcat()
213: strcmp()
214: string_size()
215: strlen()
216: strrep()
217: substring()
218: tan()
219: The has_any_index operator
220: tobool()
221: todatetime()
222: todecimal()
223: toguid()
224: tohex()
225: toint()
226: tolong()
227: tolower()
228: toreal()
229: tostring()
230: totimespan()
231: toupper()
232: translate()
233: treepath()
234: trim_end()
235: trim_start()
236: trim()
237: unicode_codepoints_from_string()
238: unicode_codepoints_to_string()
239: unixtime_microseconds_todatetime()
240: unixtime_milliseconds_todatetime()
241: unixtime_nanoseconds_todatetime()
242: unixtime_seconds_todatetime()
243: url_decode()
244: url_encode_component()
245: url_encode()
246: week_of_year()
247: welch_test()
248: zip()
249: zlib_compress_to_base64_string
250: zlib_decompress_from_base64_string()

1 - abs()

Learn how to use the abs() function to calculate the absolute value of an input.

Calculates the absolute value of the input.

Syntax

abs(x)

Parameters

Name	Type	Required	Description
x	int, real, or timespan	✔️	The value to make absolute.

Returns

Absolute value of x.

Example

print abs(-5)

Output

print_0
5

2 - acos()

Learn how to use the acos() function to calculate the angle of the cosine input.

Calculates the angle whose cosine is the specified number. Inverse operation of cos().

Syntax

acos(x)

Parameters

Name	Type	Required	Description
x	`real`	✔️	The value used to calculate the arc cosine.

Returns

The value of the arc cosine of x. The return value is null if x < -1 or x > 1.

3 - ago()

Learn how to use the ago() function to subtract a given timespan from the current UTC clock time.

Subtracts the given timespan from the current UTC time.

Like now(), if you use ago() multiple times in a single query statement, the current UTC time being referenced is the same across all uses.

Syntax

ago(timespan)

Parameters

Name	Type	Required	Description
timespan	`timespan`	✔️	The interval to subtract from the current UTC clock time `now()`. For a full list of possible timespan values, see timespan literals.

Returns

A datetime value equal to the current time minus the timespan.

Example

All rows with a timestamp in the past hour:

T | where Timestamp > ago(1h)

4 - around() function

Learn how to use the around() function to indicate if the first argument is within a range around the center value.

Creates a bool value indicating if the first argument is within a range around the center value.

Syntax

around(value,center,delta)

Parameters

Name	Type	Required	Description
value	int, long, real, datetime, or timespan	✔️	The value to compare to the center.
center	int, long, real, datetime, or timespan	✔️	The center of the range defined as [(`center`-`delta`) .. (`center` + `delta`)].
delta	int, long, real, datetime, or timespan	✔️	The delta value of the range defined as [(`center`-`delta`) .. (`center` + `delta`)].

Returns

Returns true if the value is within the range, false if the value is outside the range. Returns null if any of the arguments is null.

Example: Filtering values around a specific timestamp

The following example filters rows around specific timestamp.

range dt 
    from datetime(2021-01-01 01:00) 
    to datetime(2021-01-01 02:00) 
    step 1min
| where around(dt, datetime(2021-01-01 01:30), 1min)

Output

dt
2021-01-01 01:29:00.0000000
2021-01-01 01:30:00.0000000
2021-01-01 01:31:00.0000000

5 - array_concat()

Learn how to use the array_concat() function to concatenate many dynamic arrays to a single array.

Concatenates many dynamic arrays to a single array.

Syntax

array_concat(arr [, …])

Parameters

Name	Type	Required	Description
arr	`dynamic`	✔️	The arrays to concatenate into a dynamic array.

Returns

Returns a dynamic array of all input arrays.

Example

The following example shows concatenated arrays.

range x from 1 to 3 step 1
| extend y = x * 2
| extend z = y * 2
| extend a1 = pack_array(x,y,z), a2 = pack_array(x, y)
| project array_concat(a1, a2)

Output

Column1
[1,2,4,1,2]
[2,4,8,2,4]
[3,6,12,3,6]

pack_array()

6 - array_iff()

Learn how to use the array_iff() function to scan and evaluate elements in an array.

Element-wise iif function on dynamic arrays.

Syntax

array_iff(condition_array, when_true, when_false)

Parameters

Name	Type	Required	Description
condition_array	`dynamic`	✔️	An array of boolean or numeric values.
when_true	dynamic or scalar	✔️	An array of values or primitive value. This will be the result when condition_array is true.
when_false	dynamic or scalar	✔️	An array of values or primitive value. This will be the result when condition_array is false.

Returns

Returns a dynamic array of the values taken either from the when_true or when_false array values, according to the corresponding value of the condition array.

Examples

print condition=dynamic([true,false,true]), if_true=dynamic([1,2,3]), if_false=dynamic([4,5,6]) 
| extend res= array_iff(condition, if_true, if_false)

Output

condition	if_true	if_false	res
[true, false, true]	[1, 2, 3]	[4, 5, 6]	[1, 5, 3]

Numeric condition values

print condition=dynamic([1,0,50]), if_true="yes", if_false="no" 
| extend res= array_iff(condition, if_true, if_false)

Output

condition	if_true	if_false	res
[1, 0, 50]	yes	no	[yes, no, yes]

Non-numeric and non-boolean condition values

print condition=dynamic(["some string value", datetime("01-01-2022"), null]), if_true=1, if_false=0
| extend res= array_iff(condition, if_true, if_false)

Output

condition	if_true	if_false	res
[true, false, true]	1	0	[null, null, null]

Mismatched array lengths

print condition=dynamic([true,true,true]), if_true=dynamic([1,2]), if_false=dynamic([3,4]) 
| extend res= array_iff(condition, if_true, if_false)

Output

condition	if_true	if_false	res
[true, true, true]	[1, 2]	[3, 4]	[1, 2, null]

7 - array_index_of()

Learn how to use the array_index_of() function to search an array for a specified item, and return its position.

Searches an array for the specified item, and returns its position.

Syntax

array_index_of(array, value [, start [, length [, occurence ]]])

Parameters

Name	Type	Required	Description
array	`dynamic`	✔️	The array to search.
value	long, int, datetime, timespan, string, guid, or bool	✔️	The value to lookup.
start	`int`		The search start position. A negative value will offset the starting search value from the end of the array by `abs(`start`)` steps.
length	`int`		The number of values to examine. A value of -1 means unlimited length.
occurrence	`int`		The number of the occurrence. The default is 1.

Returns

Returns a zero-based index position of lookup. Returns -1 if the value isn’t found in the array. Returns null for irrelevant inputs (occurrence < 0 or length < -1).

Example

The following example shows the position number of specific words within the array.

let arr=dynamic(["this", "is", "an", "example", "an", "example"]);
print
 idx1 = array_index_of(arr,"an")    // lookup found in input string
 , idx2 = array_index_of(arr,"example",1,3) // lookup found in researched range 
 , idx3 = array_index_of(arr,"example",1,2) // search starts from index 1, but stops after 2 values, so lookup can't be found
 , idx4 = array_index_of(arr,"is",2,4) // search starts after occurrence of lookup
 , idx5 = array_index_of(arr,"example",2,-1)  // lookup found
 , idx6 = array_index_of(arr, "an", 1, -1, 2)   // second occurrence found in input range
 , idx7 = array_index_of(arr, "an", 1, -1, 3)   // no third occurrence in input array
 , idx8 = array_index_of(arr, "an", -3)   // negative start index will look at last 3 elements
 , idx9 = array_index_of(arr, "is", -4)   // negative start index will look at last 3 elements

Output

idx1	idx2	idx3	idx4	idx5	idx6	idx7	idx8	idx9
2	3	-1	-1	3	4	-1	4	-1

Use set_has_element(arr, value) to check whether a value exists in an array. This function will improve the readability of your query. Both functions have the same performance.

8 - array_length()

Learn how to use the array_length() function to calculate the number of elements in a dynamic array.

Calculates the number of elements in a dynamic array.

Syntax

array_length(array)

Parameters

Name	Type	Required	Description
array	`dynamic`	✔️	The array for which to calculate length.

Returns

Returns the number of elements in array, or null if array isn’t an array.

Examples

The following example shows the number of elements in the array.

print array_length(dynamic([1, 2, 3, "four"]))

Output

print_0
4

9 - array_reverse()

Learn how to use the array_reverse() function to reverse the order of the elements in a dynamic array.

Reverses the order of the elements in a dynamic array.

Syntax

array_reverse(value)

Parameters

Name	Type	Required	Description
value	`dynamic`	✔️	The array to reverse.

Returns

Returns an array that contains the same elements as the input array in reverse order.

Example

This example shows an array of words reversed.

print arr=dynamic(["this", "is", "an", "example"]) 
| project Result=array_reverse(arr)

Output

Result
[“example”,“an”,“is”,“this”]

10 - array_rotate_left()

Learn how to use the array_rotate_left() function to rotate values inside a dynamic array to the left.

Rotates values inside a dynamic array to the left.

Syntax

array_rotate_left(array, rotate_count)

Parameters

Name	Type	Required	Description
array	`dynamic`	✔️	The array to rotate.
rotate_count	integer	✔️	The number of positions that array elements will be rotated to the left. If the value is negative, the elements will be rotated to the right.

Returns

Dynamic array containing the same elements as the original array with each element rotated according to rotate_count.

Examples

Rotating to the left by two positions:

print arr=dynamic([1,2,3,4,5])
| extend arr_rotated=array_rotate_left(arr, 2)

Output

arr	arr_rotated
[1,2,3,4,5]	[3,4,5,1,2]

Rotating to the right by two positions by using negative rotate_count value:

print arr=dynamic([1,2,3,4,5])
| extend arr_rotated=array_rotate_left(arr, -2)

Output

arr	arr_rotated
[1,2,3,4,5]	[4,5,1,2,3]

To rotate an array to the right, use array_rotate_right().
To shift an array to the left, use array_shift_left().
To shift an array to the right, use array_shift_right()

11 - array_rotate_right()

Learn how to use the array_rotate_right() function to rotate values inside a dynamic array to the right.

Rotates values inside a dynamic array to the right.

Syntax

array_rotate_right(array, rotate_count)

Parameters

Name	Type	Required	Description
array	`dynamic`	✔️	The array to rotate.
rotate_count	integer	✔️	The number of positions that array elements will be rotated to the right. If the value is negative, the elements will be rotated to the Left.

Returns

Dynamic array containing the same elements as the original array with each element rotated according to rotate_count.

Examples

Rotating to the right by two positions:

print arr=dynamic([1,2,3,4,5])
| extend arr_rotated=array_rotate_right(arr, 2)

Output

arr	arr_rotated
[1,2,3,4,5]	[4,5,1,2,3]

Rotating to the left by two positions by using negative rotate_count value:

Results

print arr=dynamic([1,2,3,4,5])
| extend arr_rotated=array_rotate_right(arr, -2)

Output

arr	arr_rotated
[1,2,3,4,5]	[3,4,5,1,2]

To rotate an array to the left, use array_rotate_left().
To shift an array to the left, use array_shift_left().
To shift an array to the right, use array_shift_right().

12 - array_shift_left()

Learn how to use the array_shift_left() function to shift the values inside a dynamic array to the left.

Shifts the values inside a dynamic array to the left.

Syntax

array_shift_left(array, shift_count [, default_value ])

Parameters

Name	Type	Required	Description
array	`dynamic`	✔️	The array to shift.
shift_count	`int`	✔️	The number of positions that array elements are shifted to the left. If the value is negative, the elements are shifted to the right.
default_value	scalar		The value used for an element that was shifted and removed. The default is null or an empty string depending on the type of elements in the array.

Returns

Returns a dynamic array containing the same number of elements as in the original array. Each element has been shifted according to shift_count. New elements that are added in place of removed elements have a value of default_value.

Examples

Shifting to the left by two positions:

print arr=dynamic([1,2,3,4,5])
| extend arr_shift=array_shift_left(arr, 2)

Output

arr	arr_shift
[1,2,3,4,5]	[3,4,5,null,null]

Shifting to the left by two positions and adding default value:

print arr=dynamic([1,2,3,4,5])
| extend arr_shift=array_shift_left(arr, 2, -1)

Output

arr	arr_shift
[1,2,3,4,5]	[3,4,5,-1,-1]

Shifting to the right by two positions by using negative shift_count value:

print arr=dynamic([1,2,3,4,5])
| extend arr_shift=array_shift_left(arr, -2, -1)

Output

arr	arr_shift
[1,2,3,4,5]	[-1,-1,1,2,3]

To shift an array to the right, use array_shift_right().
To rotate an array to the right, use array_rotate_right().
To rotate an array to the left, use array_rotate_left().

13 - array_shift_right()

Learn how to use the array_shift_right() function to shift values inside a dynamic array to the right.

Shifts the values inside a dynamic array to the right.

Syntax

array_shift_right(array, shift_count [, default_value ])

Parameters

Name	Type	Required	Description
array	`dynamic`	✔️	The array to shift.
shift_count	`int`	✔️	The number of positions that array elements are shifted to the right. If the value is negative, the elements are shifted to the left.
default_value	scalar		The value used for an element that was shifted and removed. The default is null or an empty string depending on the type of elements in the array.

Returns

Returns a dynamic array containing the same amount of the elements as in the original array. Each element has been shifted according to shift_count. New elements that are added instead of the removed elements have a value of default_value.

Examples

Shifting to the right by two positions:

print arr=dynamic([1,2,3,4,5])
| extend arr_shift=array_shift_right(arr, 2)

Output

arr	arr_shift
[1,2,3,4,5]	[null,null,1,2,3]

Shifting to the right by two positions and adding a default value:

print arr=dynamic([1,2,3,4,5])
| extend arr_shift=array_shift_right(arr, 2, -1)

Output

arr	arr_shift
[1,2,3,4,5]	[-1,-1,1,2,3]

Shifting to the left by two positions by using a negative shift_count value:

print arr=dynamic([1,2,3,4,5])
| extend arr_shift=array_shift_right(arr, -2, -1)

Output

arr	arr_shift
[1,2,3,4,5]	[3,4,5,-1,-1]

To shift an array to the left, use array_shift_left().
To rotate an array to the right, use array_rotate_right().
To rotate an array to the left, use array_rotate_left().

14 - array_slice()

Learn how to use the array_slice() function to extract a slice of a dynamic array.

Extracts a slice of a dynamic array.

Syntax

array_slice(array, start, end)

Parameters

Name	Type	Required	Description
array	`dynamic`	✔️	The array from which to extract the slice.
start	`int`	✔️	The start index of the slice (inclusive). Negative values are converted to `array_length`+`start`.
end	`int`	✔️	The last index of the slice. (inclusive). Negative values are converted to `array_length`+`end`.

Returns

Returns a dynamic array of the values in the range [start..end] from array.

Examples

The following examples return a slice of the array.

print arr=dynamic([1,2,3]) 
| extend sliced=array_slice(arr, 1, 2)

Output

arr	sliced
[1,2,3]	[2,3]

print arr=dynamic([1,2,3,4,5]) 
| extend sliced=array_slice(arr, 2, -1)

Output

arr	sliced
[1,2,3,4,5]	[3,4,5]

print arr=dynamic([1,2,3,4,5]) 
| extend sliced=array_slice(arr, -3, -2)

Output

arr	sliced
[1,2,3,4,5]	[3,4]

15 - array_sort_asc()

Learn how to use the array_sort_asc() function to sort arrays in ascending order.

Receives one or more arrays. Sorts the first array in ascending order. Orders the remaining arrays to match the reordered first array.

Syntax

array_sort_asc(array1[, …, arrayN][, nulls_last])

If nulls_last isn’t provided, a default value of true is used.

Parameters

Name	Type	Required	Description
array1…arrayN	`dynamic`	✔️	The array or list of arrays to sort.
nulls_last	`bool`		Determines whether `null`s should be last.

Returns

Returns the same number of arrays as in the input, with the first array sorted in ascending order, and the remaining arrays ordered to match the reordered first array.

null is returned for every array that differs in length from the first one.

An array which contains elements of different types, is sorted in the following order:

Numeric, datetime, and timespan elements
String elements
Guid elements
All other elements

Examples

The examples in this section show how to use the syntax to help you get started.

Sort two arrays

The following example sorts the initial array, array1, in ascending order. It then sorts array2 to match the new order of array1.

let array1 = dynamic([1,3,4,5,2]);
let array2 = dynamic(["a","b","c","d","e"]);
print array_sort_asc(array1,array2)

Output

array1_sorted	array2_sorted
[1,2,3,4,5]	[“a”,“e”,“b”,“c”,“d”]

Sort substrings

The following example sorts a list of names in ascending order. It saves a list of names to a variable, Names, which is then splits into an array and sorted in ascending order. The query returns the names in ascending order.

let Names = "John,Paul,Jane,Kao";
let SortedNames = strcat_array(array_sort_asc(split(Names, ",")), ",");
print result = SortedNames

Output

result
Jane,John,Kao,Paul

Combine summarize and array_sort_asc

The following example uses the summarize operator and the array_sort_asc function to organize and sort commands by user in chronological order.

datatable(command:string, command_time:datetime, user_id:string)
[
    'chmod',   datetime(2019-07-15),   "user1",
    'ls',      datetime(2019-07-02),   "user1",
    'dir',     datetime(2019-07-22),   "user1",
    'mkdir',   datetime(2019-07-14),   "user1",
    'rm',      datetime(2019-07-27),   "user1",
    'pwd',     datetime(2019-07-25),   "user1",
    'rm',      datetime(2019-07-23),   "user2",
    'pwd',     datetime(2019-07-25),   "user2",
]
| summarize timestamps = make_list(command_time), commands = make_list(command) by user_id
| project user_id, commands_in_chronological_order = array_sort_asc(timestamps, commands)[1]

Output

user_id	commands_in_chronological_order
user1	[ “ls”, “mkdir”, “chmod”, “dir”, “pwd”, “rm” ]
user2	[ “rm”, “pwd” ]

Control location of `null` values

By default, null values are put last in the sorted array. However, you can control it explicitly by adding a bool value as the last argument to array_sort_asc().

The following example shows the default behavior:

print result=array_sort_asc(dynamic([null,"blue","yellow","green",null]))

Output

result
[“blue”,“green”,“yellow”,null,null]

The following example shows nondefault behavior using the false parameter, which specifies that nulls are placed at the beginning of the array.

print result=array_sort_asc(dynamic([null,"blue","yellow","green",null]), false)

Output

result
[null,null,“blue”,“green”,“yellow”]

16 - array_sort_desc()

Learn how to use the array_sort_desc() function to sort arrays in descending order.

Receives one or more arrays. Sorts the first array in descending order. Orders the remaining arrays to match the reordered first array.

Syntax

array_sort_desc(array1[, …, argumentN])

array_sort_desc(array1[, …, argumentN],nulls_last)

If nulls_last isn’t provided, a default value of true is used.

Parameters

Name	Type	Required	Description
array1…arrayN	`dynamic`	✔️	The array or list of arrays to sort.
nulls_last	`bool`		Determines whether `null`s should be last.

Returns

Returns the same number of arrays as in the input, with the first array sorted in ascending order, and the remaining arrays ordered to match the reordered first array.

null is returned for every array that differs in length from the first one.

An array which contains elements of different types, is sorted in the following order:

Numeric, datetime, and timespan elements
String elements
Guid elements
All other elements

Examples

The examples in this section show how to use the syntax to help you get started.

Sort two arrays

The following example sorts the initial array, array1, in descending order. It then sorts array2 to match the new order of array1.

let array1 = dynamic([1,3,4,5,2]);
let array2 = dynamic(["a","b","c","d","e"]);
print array_sort_desc(array1,array2)

Output

array1_sorted	array2_sorted
[5,4,3,2,1]	[“d”,“c”,“b”,“e”,“a”]

Sort substrings

The following example sorts a list of names in descending order. It saves a list of names to a variable, Names, which is then splits into an array and sorted in descending order. The query returns the names in descending order.

let Names = "John,Paul,Jane,Kayo";
let SortedNames = strcat_array(array_sort_desc(split(Names, ",")), ",");
print result = SortedNames

Output

result
Paul,Kayo,John,Jane

Combine summarize and array_sort_desc

The following example uses the summarize operator and the array_sort_asc function to organize and sort commands by user in descending chronological order.

datatable(command:string, command_time:datetime, user_id:string)
[
    'chmod',   datetime(2019-07-15),   "user1",
    'ls',      datetime(2019-07-02),   "user1",
    'dir',     datetime(2019-07-22),   "user1",
    'mkdir',   datetime(2019-07-14),   "user1",
    'rm',      datetime(2019-07-27),   "user1",
    'pwd',     datetime(2019-07-25),   "user1",
    'rm',      datetime(2019-07-23),   "user2",
    'pwd',     datetime(2019-07-25),   "user2",
]
| summarize timestamps = make_list(command_time), commands = make_list(command) by user_id
| project user_id, commands_in_chronological_order = array_sort_desc(timestamps, commands)[1]

Output

user_id	commands_in_chronological_order
user1	[ “rm”, “pwd”, “dir”, “chmod”, “mkdir”, “ls” ]
user2	[ “pwd”, “rm” ]

Control location of `null` values

By default, null values are put last in the sorted array. However, you can control it explicitly by adding a bool value as the last argument to array_sort_asc().

The following example shows the default behavior:

print result=array_sort_desc(dynamic([null,"blue","yellow","green",null]))

Output

result
[“yellow”,“green”,“blue”,null,null]

The following example shows nondefault behavior using the false parameter, which specifies that nulls are placed at the beginning of the array.

print result=array_sort_desc(dynamic([null,"blue","yellow","green",null]), false)

Output

result
[null,null,“yellow”,“green”,“blue”]

17 - array_split()

Learn how to use the array_split() function to split an array into multiple arrays.

Splits an array to multiple arrays according to the split indices and packs the generated array in a dynamic array.

Syntax

array_split(array, index)

Parameters

Name	Type	Required	Description
array	`dynamic`	✔️	The array to split.
index	`int` or `dynamic`	✔️	An integer or dynamic array of integers used to indicate the location at which to split the array. The start index of arrays is zero. Negative values are converted to `array_length` + `value`.

Returns

Returns a dynamic array containing N+1 arrays with the values in the range [0..i1), [i1..i2), ... [iN..array_length) from array, where N is the number of input indices and i1...iN are the indices.

Examples

This following example shows how to split and array.

print arr=dynamic([1,2,3,4,5]) 
| extend arr_split=array_split(arr, 2)

Output

arr	arr_split
[1,2,3,4,5]	[[1,2],[3,4,5]]

print arr=dynamic([1,2,3,4,5]) 
| extend arr_split=array_split(arr, dynamic([1,3]))

Output

arr	arr_split
[1,2,3,4,5]	[[1],[2,3],[4,5]]

18 - array_sum()

Learn how to use the array_sum() function to calculate the sum of elements in a dynamic array.

Calculates the sum of elements in a dynamic array.

Syntax

array_sum(array)

Parameters

Name	Type	Required	Description
array	`dynamic`	✔️	The array to sum.

Returns

Returns a double type value with the sum of the elements of the array.

Example

This following example shows the sum of an array.

print arr=dynamic([1,2,3,4]) 
| extend arr_sum=array_sum(arr)

Output

arr	arr_sum
[1,2,3,4]	10

19 - asin()

Learn how to use the asin() function to calculate the angle from a sine input.

Calculates the angle whose sine is the specified number, or the arc sine. This is the inverse operation of sin().

Syntax

asin(x)

Parameters

Name	Type	Required	Description
x	`real`	✔️	A real number in range [-1, 1] used to calculate the arc sine.

Returns

Returns the value of the arc sine of x. Returns null if x < -1 or x > 1.

Example

asin(0.5)

Output

result
1.2532358975033751

20 - assert()

Learn how to use the assert() function to check for a condition and output an error message when false.

Checks for a condition. If the condition is false, outputs error messages and fails the query.

Syntax

assert(condition,message)

Parameters

Name	Type	Required	Description
condition	`bool`	✔️	The conditional expression to evaluate. The condition must be evaluated to constant during the query analysis phase.
message	`string`	✔️	The message used if assertion is evaluated to `false`.

Returns

Returns true if the condition is true. Raises a semantic error if the condition is evaluated to false.

Examples

The following query defines a function checkLength() that checks input string length, and uses assert to validate input length parameter (checks that it’s greater than zero).

let checkLength = (len:long, s:string)
{
    assert(len > 0, "Length must be greater than zero") and
    strlen(s) > len
};
datatable(input:string)
[
    '123',
    '4567'
]
| where checkLength(len=long(-1), input)

Running this query yields an error: assert() has failed with message: 'Length must be greater than zero'

Example of running with valid len input:

let checkLength = (len:long, s:string)
{
    assert(len > 0, "Length must be greater than zero") and strlen(s) > len
};
datatable(input:string)
[
    '123',
    '4567'
]
| where checkLength(len=3, input)

Output

input
4567

The following query will always fail, demonstrating that the assert function gets evaluated even though the where b operator returns no data when b is false:

let b=false;
print x="Hello"
| where b
| where assert(b, "Assertion failed")

21 - atan()

Learn how to use the atan() function to return the inverse operation of tan().

Returns the angle whose tangent is the specified number. This is the inverse operation of tan().

Syntax

atan(x)

Parameters

Name	Type	Required	Description
x	`real`	✔️	The number used to calculate the arc tangent.

Returns

The value of the arc tangent of x.

Example

atan(0.5)

Output

result
0.46364760900080609

22 - atan2()

Learn how to use the atan2() function to calculate an angle in radians between axes.

Calculates the angle, in radians, between the positive x-axis and the ray from the origin to the point (y, x).

Syntax

atan2(y,x)

Parameters

Name	Type	Required	Description
y	`real`	✔️	The Y coordinate.
x	`real`	✔️	The X coordinate.

Returns

Returns the angle in radians between the positive x-axis and the ray from the origin to the point (y, x).

Examples

The following example returns the angle measurements in radians.

print atan2_0 = atan2(1,1) // Pi / 4 radians (45 degrees)
| extend atan2_1 = atan2(0,-1) // Pi radians (180 degrees)
| extend atan2_2 = atan2(-1,0) // - Pi / 2 radians (-90 degrees)

Output

atan2_0	atan2_1	atan2_2
0.785398163397448	3.14159265358979	-1.5707963267949

23 - bag_has_key()

Learn how to use the bag_has_key() function to check if a dynamic property bag object contains a given key.

Checks whether a dynamic property bag object contains a given key.

Syntax

bag_has_key(bag,key)

Parameters

Name	Type	Required	Description
bag	`dynamic`	✔️	The property bag to search.
key	`string`	✔️	The key for which to search. Search for a nested key using the JSONPath notation. Array indexing isn’t supported.

Returns

True or false depending on if the key exists in the bag.

Examples

datatable(input: dynamic)
[
    dynamic({'key1' : 123, 'key2': 'abc'}),
    dynamic({'key1' : 123, 'key3': 'abc'}),
]
| extend result = bag_has_key(input, 'key2')

Output

input	result
{ “key1”: 123, “key2”: “abc” }	true
{ “key1”: 123, “key3”: “abc” }	false

Search using a JSONPath key

datatable(input: dynamic)
[
    dynamic({'key1': 123, 'key2': {'prop1' : 'abc', 'prop2': 'xyz'}, 'key3': [100, 200]}),
]
| extend result = bag_has_key(input, '$.key2.prop1')

Output

input	result
{ “key1”: 123, “key2”: { “prop1”: “abc”, “prop2”: “xyz” }, “key3”: [ 100, 200 ] }	true

24 - bag_keys()

Learn how to use the bag_keys() function to enumerate the root keys in a dynamic property bag object.

Enumerates all the root keys in a dynamic property bag object.

Syntax

bag_keys(object)

Parameters

Name	Type	Required	Description
object	`dynamic`	✔️	The property bag object for which to enumerate keys.

Returns

An array of keys, order is undetermined.

Example

datatable(index:long, d:dynamic) [
    1, dynamic({'a':'b', 'c':123}), 
    2, dynamic({'a':'b', 'c':{'d':123}}),
    3, dynamic({'a':'b', 'c':[{'d':123}]}),
    4, dynamic(null),
    5, dynamic({}),
    6, dynamic('a'),
    7, dynamic([])
]
| extend keys = bag_keys(d)

Output

index	d	keys
1	{ “a”: “b”, “c”: 123 }	[ “a”, “c” ]
2	{ “a”: “b”, “c”: { “d”: 123 } }	[ “a”, “c” ]
3	{ “a”: “b”, “c”: [ { “d”: 123 } ] }	[ “a”, “c” ]
4
5	{}	[]
6	a
7	[]

25 - bag_merge()

Learn how to use the bag_merge() function to merge property bags.

The function merges multiple dynamic property bags into a single dynamic property bag object, consolidating all properties from the input bags.

Syntax

bag_merge(bag1,bag2[,*bag3*, ...])

Parameters

Name	Type	Required	Description
bag1…bagN	`dynamic`	✔️	The property bags to merge. The function accepts between 2 to 64 arguments.

Returns

A dynamic property bag containing the merged results of all input property bags. If a key is present in multiple input bags, the value associated with the key from the leftmost argument takes precedence.

Example

print result = bag_merge(
   dynamic({'A1':12, 'B1':2, 'C1':3}),
   dynamic({'A2':81, 'B2':82, 'A1':1}))

Output

result
{ “A1”: 12, “B1”: 2, “C1”: 3, “A2”: 81, “B2”: 82 }

26 - bag_pack_columns()

Learn how to use the bag_pack_columns() function to create a dynamic JSON object from a list of columns.

Creates a dynamic property bag object from a list of columns.

Syntax

bag_pack_columns(column1, column2,... )

Parameters

Name	Type	Required	Description
column	scalar	✔️	A column to pack. The name of the column is the property name in the property bag.

Returns

Returns a dynamic property bag object from the listed columns.

Examples

The following example creates a property bag that includes the Id and Value columns:

datatable(Id: string, Value: string, Other: long)
[
    "A", "val_a", 1,
    "B", "val_b", 2,
    "C", "val_c", 3
]
| extend Packed = bag_pack_columns(Id, Value)

Id	Value	Other	Packed
A	val_a	1	{ “Id”: “A”, “Value”: “val_a” }
B	val_b	2	{ “Id”: “B”, “Value”: “val_b” }
C	val_c	3	{ “Id”: “C”, “Value”: “val_c” }

|C|val_c|3|{
“Id”: “C”,
“Value”: “val_c”
}|

27 - bag_pack()

Learn how to use the bag_pack() function to create a dynamic JSON object from a list of keys and values.

Creates a dynamic property bag object from a list of keys and values.

Syntax

bag_pack(key1, value1, key2, value2,... )

Parameters

Name	Type	Required	Description
key	`string`	✔️	The key name.
value	any scalar data type	✔️	The key value.

Returns

Returns a dynamic property bag object from the listed key and value inputs.

Examples

Example 1

The following example creates and returns a property bag from an alternating list of keys and values.

print bag_pack("Level", "Information", "ProcessID", 1234, "Data", bag_pack("url", "www.bing.com"))

Results

print_0
{“Level”:“Information”,“ProcessID”:1234,“Data”:{“url”:“www.bing.com”}}

Example 2

The following example creates a property bag and extract value from property bag using ‘.’ operator.

datatable (
    Source: int,
    Destination: int,
    Message: string
) [
    1234, 100, "AA", 
    4567, 200, "BB",
    1212, 300, "CC" 
]
| extend MyBag=bag_pack("Dest", Destination, "Mesg", Message)
| project-away Source, Destination, Message
| extend MyBag_Dest=MyBag.Dest, MyBag_Mesg=MyBag.Mesg

Results

MyBag	MyBag_Dest	MyBag_Mesg
{“Dest”:100,“Mesg”:“AA”}	100	AA
{“Dest”:200,“Mesg”:“BB”}	200	BB
{“Dest”:300,“Mesg”:“CC”}	300	CC

Example 3

The following example uses two tables, SmsMessages and MmsMessages, and returns their common columns and a property bag from the other columns. The tables are created ad-hoc as part of the query.

SmsMessages

SourceNumber	TargetNumber	CharsCount
555-555-1234	555-555-1212	46
555-555-1234	555-555-1213	50
555-555-1212	555-555-1234	32

MmsMessages

SourceNumber	TargetNumber	AttachmentSize	AttachmentType	AttachmentName
555-555-1212	555-555-1213	200	jpeg	Pic1
555-555-1234	555-555-1212	250	jpeg	Pic2
555-555-1234	555-555-1213	300	png	Pic3

let SmsMessages = datatable (
    SourceNumber: string,
    TargetNumber: string,
    CharsCount: string
) [
    "555-555-1234", "555-555-1212", "46", 
    "555-555-1234", "555-555-1213", "50",
    "555-555-1212", "555-555-1234", "32" 
];
let MmsMessages = datatable (
    SourceNumber: string,
    TargetNumber: string,
    AttachmentSize: string,
    AttachmentType: string,
    AttachmentName: string
) [
    "555-555-1212", "555-555-1213", "200", "jpeg", "Pic1",
    "555-555-1234", "555-555-1212", "250", "jpeg", "Pic2",
    "555-555-1234", "555-555-1213", "300", "png", "Pic3"
];
SmsMessages 
| join kind=inner MmsMessages on SourceNumber
| extend Packed=bag_pack("CharsCount", CharsCount, "AttachmentSize", AttachmentSize, "AttachmentType", AttachmentType, "AttachmentName", AttachmentName) 
| where SourceNumber == "555-555-1234"
| project SourceNumber, TargetNumber, Packed

Results

SourceNumber	TargetNumber	Packed
555-555-1234	555-555-1213	{“CharsCount”:“50”,“AttachmentSize”:“250”,“AttachmentType”:“jpeg”,“AttachmentName”:“Pic2”}
555-555-1234	555-555-1212	{“CharsCount”:“46”,“AttachmentSize”:“250”,“AttachmentType”:“jpeg”,“AttachmentName”:“Pic2”}
555-555-1234	555-555-1213	{“CharsCount”:“50”,“AttachmentSize”:“300”,“AttachmentType”:“png”,“AttachmentName”:“Pic3”}
555-555-1234	555-555-1212	{“CharsCount”:“46”,“AttachmentSize”:“300”,“AttachmentType”:“png”,“AttachmentName”:“Pic3”}

28 - bag_remove_keys()

Learn how to use the bag_remove_keys() function to remove keys and associated values from property bags.

Removes keys and associated values from a dynamic property bag.

Syntax

bag_remove_keys(bag,keys)

Parameters

Name	Type	Required	Description
bag	`dynamic`	✔️	The property bag from which to remove keys.
keys	`dynamic`	✔️	List of keys to be removed from the input. The keys are the first level of the property bag. You can specify keys on the nested levels using JSONPath notation. Array indexing isn’t supported.

Returns

Returns a dynamic property bag without specified keys and their values.

Examples

datatable(input:dynamic)
[
    dynamic({'key1' : 123,     'key2': 'abc'}),
    dynamic({'key1' : 'value', 'key3': 42.0}),
]
| extend result=bag_remove_keys(input, dynamic(['key2', 'key4']))

Output

input	result
{ “key1”: 123, “key2”: “abc” }	{ “key1”: 123 }
{ “key1”: “value”, “key3”: 42.0 }	{ “key1”: “value”, “key3”: 42.0 }

Remove inner properties of dynamic values using JSONPath notation

datatable(input:dynamic)
[
    dynamic({'key1': 123, 'key2': {'prop1' : 'abc', 'prop2': 'xyz'}, 'key3': [100, 200]}),
]
| extend result=bag_remove_keys(input, dynamic(['$.key2.prop1', 'key3']))

Output

input	result
{ “key1”: 123, “key2”: { “prop1”: “abc”, “prop2”: “xyz” }, “key3”: [ 100, 200 ] }	{ “key1”: 123, “key2”: { “prop2”: “xyz” } }

29 - bag_set_key()

Learn how to use the bag_set_key() function to set a given key to a given value in a dynamic property-bag.

bag_set_key() receives a dynamic property-bag, a key and a value. The function sets the given key in the bag to the given value. The function overrides any existing value in case the key already exists.

Syntax

bag_set_key(bag,key,value)

Parameters

Name	Type	Required	Description
bag	`dynamic`	✔️	The property bag to modify.
key	`string`	✔️	The key to set. Either a JSON path (you can specify a key on the nested levels using JSONPath notation) or the key name for a root level key. Array indexing or root JSON paths aren’t supported.
value	any scalar data type	✔️	The value to which the key is set.

Returns

Returns a dynamic property-bag with specified key-value pairs. If the input bag isn’t a property-bag, a null value is returned.

Examples

Use a root-level key

datatable(input: dynamic) [
    dynamic({'key1': 1, 'key2': 2}), 
    dynamic({'key1': 1, 'key3': 'abc'}),
]
| extend result = bag_set_key(input, 'key3', 3)

input	result
{ “key1”: 1, “key2”: 2 }	{ “key1”: 1, “key2”: 2, “key3”: 3 }
{ “key1”: 1, “key3”: “abc” }	{ “key1”: 1, “key3”: 3 }

Use a JSONPath key

datatable(input: dynamic)[
    dynamic({'key1': 123, 'key2': {'prop1': 123, 'prop2': 'xyz'}}),
    dynamic({'key1': 123})
]
| extend result = bag_set_key(input, '$.key2.prop1', 'abc')

input	result
{ “key1”: 123, “key2”: { “prop1”: 123, “prop2”: “xyz” } }	{ “key1”: 123, “key2”: { “prop1”: “abc”, “prop2”: “xyz” } }
{ “key1”: 123 }	{ “key1”: 123, “key2”: { “prop1”: “abc” } }

30 - bag_zip()

Learn how to use bag_zip() to merge two dynamic arrays into a single property-bag of keys and values.

Creates a dynamic property-bag from two input dynamic arrays. In the resulting property-bag, the values from the first input array are used as the property keys, while the values from the second input array are used as corresponding property values.

Syntax

bag_zip(KeysArray, ValuesArray)

Parameters

Name	Type	Required	Description
KeysArray	`dynamic`	✔️	An array of strings. These strings represent the property names for the resulting property-bag.
ValuesArray	`dynamic`	✔️	An array whose values will be the property values for the resulting property-bag.

Returns

Returns a dynamic property-bag.

Examples

In the following example, the array of keys and the array of values are the same length and are zipped together into a dynamic property bag.

let Data = datatable(KeysArray: dynamic, ValuesArray: dynamic) [
    dynamic(['a', 'b', 'c']), dynamic([1, '2', 3.4])
];
Data
| extend NewBag = bag_zip(KeysArray, ValuesArray)

KeysArray	ValuesArray	NewBag
[‘a’,‘b’,‘c’]	[1,‘2’,3.4]	{‘a’: 1,‘b’: ‘2’,‘c’: 3.4}

More keys than values

In the following example, the array of keys is longer than the array of values. The missing values are filled with nulls.

let Data = datatable(KeysArray: dynamic, ValuesArray: dynamic) [
    dynamic(['a', 'b', 'c']), dynamic([1, '2'])
];
Data
| extend NewBag = bag_zip(KeysArray, ValuesArray)

KeysArray	ValuesArray	NewBag
[‘a’,‘b’,‘c’]	[1,‘2’]	{‘a’: 1,‘b’: ‘2’,‘c’: null}

More values than keys

In the following example, the array of values is longer than the array of keys. Values with no matching keys are ignored.

let Data = datatable(KeysArray: dynamic, ValuesArray: dynamic) [
    dynamic(['a', 'b']), dynamic([1, '2', 2.5])
];
Data
| extend NewBag = bag_zip(KeysArray, ValuesArray)

KeysArray	ValuesArray	NewBag
[‘a’,‘b’]	[1,‘2’,2.5]	{‘a’: 1,‘b’: ‘2’}

Non-string keys

In the following example, there are some values in they keys array that aren’t of type string. The non-string values are ignored.

let Data = datatable(KeysArray: dynamic, ValuesArray: dynamic) [
    dynamic(['a', 8, 'b']), dynamic([1, '2', 2.5])
];
Data
| extend NewBag = bag_zip(KeysArray, ValuesArray)

KeysArray	ValuesArray	NewBag
[‘a’,8,‘b’]	[1,‘2’,2.5]	{‘a’: 1,‘b’: 2.5}

Fill values with null

In the following example, the parameter that is supposed to be an array of values isn’t an array, so all values are filled with nulls.

let Data = datatable(KeysArray: dynamic, ValuesArray: dynamic) [
    dynamic(['a', 8, 'b']), dynamic(1)
];
Data
| extend NewBag = bag_zip(KeysArray, ValuesArray)

KeysArray	ValuesArray	NewBag
[‘a’,8,‘b’]	1	{‘a’: null,‘b’: null}

Null property-bag

In the following example, the parameter that is supposed to be an array of keys isn’t an array, so the resulting property-bag is null.

let Data = datatable(KeysArray: dynamic, ValuesArray: dynamic) [
    dynamic('a'), dynamic([1, '2', 2.5])
];
Data
| extend NewBag = bag_zip(KeysArray, ValuesArray)
| extend IsNewBagEmpty=isnull(NewBag)

| KeysArray | ValuesArray | NewBag | IsNewBagEmpty | |–|–|–| | a | [1,‘2’,2.5] | | TRUE |

zip function

31 - base64_decode_toarray()

Learn how to use the base64_decode_toarray() function to decode a base64 string into an array of long values.

Decodes a base64 string to an array of long values.

Syntax

base64_decode_toarray(base64_string)

Parameters

Name	Type	Required	Description
base64_string	`string`	✔️	The value to decode from base64 to an array of long values.

Returns

Returns an array of long values decoded from a base64 string.

Example

print Quine=base64_decode_toarray("S3VzdG8=")  
// 'K', 'u', 's', 't', 'o'

Output

Quine
[75,117,115,116,111]

To decode base64 strings to a UTF-8 string, see base64_decode_tostring()
To encode strings to a base64 string, see base64_encode_tostring()

32 - base64_decode_toguid()

Learn how to use base64_decode_toguid() function to return a GUID from a base64 string.

Decodes a base64 string to a GUID.

Syntax

base64_decode_toguid(base64_string)

Parameters

Name	Type	Required	Description
base64_string	`string`	✔️	The value to decode from base64 to a GUID.

Returns

Returns a GUID decoded from a base64 string.

Example

print Quine = base64_decode_toguid("JpbpECu8dUy7Pv5gbeJXAA==")

Output

Quine
10e99626-bc2b-754c-bb3e-fe606de25700

If you try to decode an invalid base64 string, “null” will be returned:

print Empty = base64_decode_toguid("abcd1231")

To encode a GUID to a base64 string, see base64_encode_fromguid().

33 - base64_decode_tostring()

Learn how to use a base64_decode_tostring() function to decode a base64 string into a UTF-8 string.

Decodes a base64 string to a UTF-8 string.

Syntax

base64_decode_tostring(base64_string)

Parameters

Name	Type	Required	Description
base64_string	`string`	✔️	The value to decode from base64 to UTF-8 string.

Returns

Returns UTF-8 string decoded from base64 string.

Example

print Quine=base64_decode_tostring("S3VzdG8=")

Output

Quine
Kusto

Trying to decode a base64 string that was generated from invalid UTF-8 encoding returns null:

print Empty=base64_decode_tostring("U3RyaW5n0KHR0tGA0L7Rh9C60LA=")

Output

Empty

To decode base64 strings to an array of long values, see base64_decode_toarray()
To encode strings to base64 string, see base64_encode_tostring()

34 - base64_encode_fromarray()

Learn how to use the base64_encode_fromarray() function to encode a base64 string from a bytes array.

Encodes a base64 string from a bytes array.

Syntax

base64_encode_fromarray(base64_string_decoded_as_a_byte_array)

Parameters

Name	Type	Required	Description
base64_string_decoded_as_a_byte_array	`dynamic`	✔️	The bytes (integer) array to be encoded into a base64 string.

Returns

Returns the base64 string encoded from the bytes array. Note that byte is an integer type.

Examples

let bytes_array = toscalar(print base64_decode_toarray("S3VzdG8="));
print decoded_base64_string = base64_encode_fromarray(bytes_array)

Output

decoded_base64_string
S3VzdG8=

Trying to encode a base64 string from an invalid bytes array that was generated from invalid UTF-8 encoded string will return null:

let empty_bytes_array = toscalar(print base64_decode_toarray("U3RyaW5n0KHR0tGA0L7Rh9C60LA"));
print empty_string = base64_encode_fromarray(empty_bytes_array)

Output

empty_string

For decoding base64 strings to a UTF-8 string, see base64_decode_tostring()
For encoding strings to a base64 string see base64_encode_tostring()
This function is the inverse of base64_decode_toarray()

35 - base64_encode_fromguid()

Learn how to use the base64_encode_fromguid() function to return a base64 string from a GUID.

Encodes a GUID to a base64 string.

Syntax

base64_encode_fromguid(guid)

Parameters

Name	Type	Required	Description
guid	`guid`	✔️	The value to encode to a base64 string.

Returns

Returns a base64 string encoded from a GUID.

Example

print Quine = base64_encode_fromguid(toguid("ae3133f2-6e22-49ae-b06a-16e6a9b212eb"))

Output

Quine
8jMxriJurkmwahbmqbIS6w==

If you try to encode anything that isn’t a GUID as below, an error will be thrown:

print Empty = base64_encode_fromguid("abcd1231")

To decode a base64 string to a GUID, see base64_decode_toguid().
To create a GUID from a string, see toguid().

36 - base64_encode_tostring()

This article describes base64_encode_tostring().

Encodes a string as base64 string.

Syntax

base64_encode_tostring(string)

Parameters

Name	Type	Required	Description
string	`string`	✔️	The value to encode as a base64 string.

Returns

Returns string encoded as a base64 string.

Example

print Quine=base64_encode_tostring("Kusto")

Output

Quine
S3VzdG8=

To decode base64 strings to UTF-8 strings, see base64_decode_tostring().
To decode base64 strings to an array of long values, see base64_decode_toarray().

37 - beta_cdf()

Learn how to use the beta_cdf() function to return a standard beta cumulative distribution function.

Returns the standard cumulative beta distribution function.

If probability = beta_cdf(x,…), then beta_inv(probability,…) = x.

The beta distribution is commonly used to study variation in the percentage of something across samples, such as the fraction of the day people spend watching television.

Syntax

beta_cdf(x, alpha, beta)

Parameters

Name	Type	Required	Description
x	int, long, or real	✔️	A value at which to evaluate the function.
alpha	int, long, or real	✔️	A parameter of the distribution.
beta	int, long, or real	✔️	A parameter of the distribution.

Returns

The cumulative beta distribution function.

Examples

datatable(x:double, alpha:double, beta:double, comment:string)
[
    0.9, 10.0, 20.0, "Valid input",
    1.5, 10.0, 20.0, "x > 1, yields NaN",
    double(-10), 10.0, 20.0, "x < 0, yields NaN",
    0.1, double(-1.0), 20.0, "alpha is < 0, yields NaN"
]
| extend b = beta_cdf(x, alpha, beta)

Output

x	alpha	beta	comment	b
0.9	10	20	Valid input	0.999999999999959
1.5	10	20	x > 1, yields NaN	NaN
-10	10	20	x < 0, yields NaN	NaN
0.1	-1	20	alpha is < 0, yields NaN	NaN

For computing the inverse of the beta cumulative probability density function, see beta-inv().
For computing probability density function, see beta-pdf().

38 - beta_inv()

Learn how to use the beta_inv() function to return the inverse of the beta cumulative probability density function.

Returns the inverse of the beta cumulative probability density function.

If probability = beta_cdf(x,…), then beta_inv(probability,…) = x.

The beta distribution can be used in project planning to model probable completion times given an expected completion time and variability.

Syntax

beta_inv(probability,alpha,beta)

Parameters

Name	Type	Required	Description
probability	int, long, or real	✔️	A probability associated with the beta distribution.
alpha	int, long, or real	✔️	A parameter of the distribution.
beta	int, long, or real	✔️	A parameter of the distribution.

Returns

The inverse of the beta cumulative probability density function beta_cdf()

Examples

datatable(p:double, alpha:double, beta:double, comment:string)
[
    0.1, 10.0, 20.0, "Valid input",
    1.5, 10.0, 20.0, "p > 1, yields null",
    0.1, double(-1.0), 20.0, "alpha is < 0, yields NaN"
]
| extend b = beta_inv(p, alpha, beta)

Output

p	alpha	beta	comment	b
0.1	10	20	Valid input	0.226415022388749
1.5	10	20	p > 1, yields null
0.1	-1	20	alpha is < 0, yields NaN	NaN

For computing cumulative beta distribution function, see beta-cdf().
For computing probability beta density function, see beta-pdf().

39 - beta_pdf()

Learn how to use the beta_pdf() function to return the beta probability density function.

Returns the probability density beta function.

The beta distribution is commonly used to study variation in the percentage of something across samples, such as the fraction of the day people spend watching television.

Syntax

beta_pdf(x, alpha, beta)

Parameters

Name	Type	Required	Description
x	int, long, or real	✔️	A value at which to evaluate the function.
alpha	int, long, or real	✔️	A parameter of the distribution.
beta	int, long, or real	✔️	A parameter of the distribution.

Returns

The probability beta density function.

Examples

datatable(x:double, alpha:double, beta:double, comment:string)
[
    0.5, 10.0, 20.0, "Valid input",
    1.5, 10.0, 20.0, "x > 1, yields NaN",
    double(-10), 10.0, 20.0, "x < 0, yields NaN",
    0.1, double(-1.0), 20.0, "alpha is < 0, yields NaN"
]
| extend r = beta_pdf(x, alpha, beta)

Output

x	alpha	beta	comment	r
0.5	10	20	Valid input	0.746176019310951
1.5	10	20	x > 1, yields NaN	NaN
-10	10	20	x < 0, yields NaN	NaN
0.1	-1	20	alpha is < 0, yields NaN	NaN

For computing the inverse of the beta cumulative probability density function, see beta-inv().
For the standard cumulative beta distribution function, see beta-cdf().

40 - bin_at()

Learn how to use the bin_at() function to round values down to a fixed-size bin.

Returns the value rounded down to the nearest bin size, which is aligned to a fixed reference point.

In contrast to the bin() function, where the point of alignment is predefined, bin_at() allows you to define a fixed point for alignment. Results can align before or after the fixed point.

Syntax

bin_at (value,bin_size,fixed_point)

Parameters

Name	Type	Required	Description
value	`int`, `long`, `real`, `timespan`, or `datetime`	✔️	The value to round.
bin_size	`int`, `long`, `real`, or `timespan`	✔️	The size of each bin.
fixed_point	`int`, `long`, `real`, `timespan`, or `datetime`	✔️	A constant of the same type as value, which is used as a fixed reference point.

Returns

The nearest multiple of bin_size below the given value that aligns to the specified fixed_point.

Examples

In the following example, value is rounded down to the nearest bin_size that aligns to the fixed_point.

print bin_at(6.5, 2.5, 7)

Output

print_0
4.5

In the following example, the time interval is binned into daily bins aligned to a 12 hour fixed point. The return value is -12 since a daily bin aligned to 12 hours rounds down to 12 on the previous day.

print bin_at(time(1h), 1d, 12h)

Output

print_0
-12:00:00

In the following example, daily bins align to noon.

print bin_at(datetime(2017-05-15 10:20:00.0), 1d, datetime(1970-01-01 12:00:00.0))

Output

print_0
2017-05-14T12:00:00Z

In the following example, bins are weekly and align to the start of Sunday June 6, 2017. The example returns a bin aligned to Sundays.

print bin_at(datetime(2017-05-17 10:20:00.0), 7d, datetime(2017-06-04 00:00:00.0))

Output

print_0
2017-05-14T00:00:00Z

In the following example, the total number of events are grouped into daily bins aligned to the fixed_point date and time. The fixed_point value is included in one of the returned bins.

datatable(Date:datetime, NumOfEvents:int)[
datetime(2018-02-24T15:14),3,
datetime(2018-02-24T15:24),4,
datetime(2018-02-23T16:14),4,
datetime(2018-02-23T17:29),4,
datetime(2018-02-26T15:14),5]
| summarize TotalEvents=sum(NumOfEvents) by bin_at(Date, 1d, datetime(2018-02-24 15:14:00.0000000))

Output

Date	TotalEvents
2018-02-23T15:14:00Z	8
2018-02-24T15:14:00Z	7
2018-02-26T15:14:00Z	5

bin()

41 - bin_auto()

Learn how to use the bin_auto() function to round values down to a fixed-size bin.

Rounds values down to a fixed-size bin, with control over the bin size and starting point provided by a query property.

Syntax

bin_auto (value)

Parameters

Name	Type	Required	Description
value	int, long, real, timespan, or datetime	✔️	The value to round into bins.

To control the bin size and starting point, set the following parameters before using the function.

Name	Type	Required	Description
query_bin_auto_size	int, long, real, or timespan	✔️	Indicates the size of each bin.
query_bin_auto_at	int, long, real, or timespan		Indicates one value of value which is a “fixed point” for which `bin_auto(fixed_point)` == `fixed_point`. Default is 0.

Returns

The nearest multiple of query_bin_auto_size below value, shifted so that query_bin_auto_at will be translated into itself.

Examples

set query_bin_auto_size=1h;
set query_bin_auto_at=datetime(2017-01-01 00:05);
range Timestamp from datetime(2017-01-01 00:05) to datetime(2017-01-01 02:00) step 1m
| summarize count() by bin_auto(Timestamp)

Output

Timestamp	count_
2017-01-01 00:05:00.0000000	60
2017-01-01 01:05:00.0000000	56

42 - bin()

Learn how to use the bin() function to round values down to an integer multiple of a given bin size.

Rounds values down to an integer multiple of a given bin size.

Used frequently in combination with summarize by .... If you have a scattered set of values, they’ll be grouped into a smaller set of specific values.

Syntax

bin(value,roundTo)

Parameters

Name	Type	Required	Description
value	int, long, real, timespan, or datetime	✔️	The value to round down.
roundTo	int, long, real, or timespan	✔️	The “bin size” that divides value.

Returns

The nearest multiple of roundTo below value. Null values, a null bin size, or a negative bin size will result in null.

Examples

Numeric bin

print bin(4.5, 1)

Output

print_0
4

Timespan bin

print bin(time(16d), 7d)

Output

print_0
14:00:00:00

Datetime bin

print bin(datetime(1970-05-11 13:45:07), 1d)

Output

print_0
1970-05-11T00:00:00Z

Pad a table with null bins

When there are rows for bins with no corresponding row in the table, we recommend to pad the table with those bins. The following query looks at strong wind storm events in California for a week in April. However, there are no events on some of the days.

let Start = datetime('2007-04-07');
let End = Start + 7d;
StormEvents
| where StartTime between (Start .. End)
| where State == "CALIFORNIA" and EventType == "Strong Wind"
| summarize PropertyDamage=sum(DamageProperty) by bin(StartTime, 1d)

Output

StartTime	PropertyDamage
2007-04-08T00:00:00Z	3000
2007-04-11T00:00:00Z	1000
2007-04-12T00:00:00Z	105000

In order to represent the full week, the following query pads the result table with null values for the missing days. Here’s a step-by-step explanation of the process:

Use the union operator to add more rows to the table.
The range operator produces a table that has a single row and column.
The mv-expand operator over the range function creates as many rows as there are bins between StartTime and EndTime.
Use a PropertyDamage of 0.
The summarize operator groups together bins from the original table to the table produced by the union expression. This process ensures that the output has one row per bin whose value is either zero or the original count.

let Start = datetime('2007-04-07');
let End = Start + 7d;
StormEvents
| where StartTime between (Start .. End)
| where State == "CALIFORNIA" and EventType == "Strong Wind"
| union (
    range x from 1 to 1 step 1
    | mv-expand StartTime=range(Start, End, 1d) to typeof(datetime)
    | extend PropertyDamage=0
    )
| summarize PropertyDamage=sum(DamageProperty) by bin(StartTime, 1d)

Output

StartTime	PropertyDamage
2007-04-07T00:00:00Z	0
2007-04-08T00:00:00Z	3000
2007-04-09T00:00:00Z	0
2007-04-10T00:00:00Z	0
2007-04-11T00:00:00Z	1000
2007-04-12T00:00:00Z	105000
2007-04-13T00:00:00Z	0
2007-04-14T00:00:00Z	0

43 - binary_and()

Learn how to use the binary_and() function to compare bits in corresponding operands.

Returns a result of the bitwise AND operation between two values.

Syntax

binary_and(value1,value2)

Parameters

Name	Type	Required	Description
value1	`long`	✔️	The left-hand value of the bitwise `AND` operation.
value2	`long`	✔️	The right-hand value of the bitwise `AND` operation.

Returns

Returns logical AND operation on a pair of numbers: value1 & value2.

44 - binary_not()

Learn how to use the binary_not() function to return a bitwise negation of the input value.

Returns a bitwise negation of the input value.

Syntax

binary_not(value)

Parameters

Name	Type	Required	Description
value	`long`	✔️	The value to negate.

Returns

Returns logical NOT operation on a number: value.

Example

binary_not(100)

Output

result
-101

45 - binary_or()

Learn how to use the bianry_or() function to perform a bitwise OR operation of the two values.

Returns a result of the bitwise or operation of the two values.

Syntax

binary_or(value1, value2 )

Parameters

Name	Type	Required	Description
value1	`long`	✔️	The left-hand value of the bitwise `OR` operation.
value2	`long`	✔️	The right-hand value of the bitwise `OR` operation.

Returns

Returns logical OR operation on a pair of numbers: value1 | value2.

46 - binary_shift_left()

Learn how to use the binary_shift_left() function to perform a binary shift left operation on a pair of numbers.

Returns binary shift left operation on a pair of numbers.

Syntax

binary_shift_left(value,shift)

Parameters

Name	Type	Required	Description
value	`int`	✔️	The value to shift left.
shift	`int`	✔️	The number of bits to shift left.

Returns

Returns binary shift left operation on a pair of numbers: value « (shift%64). If n is negative, a NULL value is returned.

Example

binary_shift_left(1,2)

Output

Result
4

47 - binary_shift_right()

Learn how to use the binary_shift_right() function to perform a binary shift right operation on a pair of numbers.

Returns binary shift right operation on a pair of numbers.

Syntax

binary_shift_right(value,shift)

Parameters

Name	Type	Required	Description
value	`int`	✔️	The value to shift right.
shift	`int`	✔️	The number of bits to shift right.

Returns

Returns binary shift right operation on a pair of numbers: value » (shift%64). If n is negative, a NULL value is returned.

Examples

binary_shift_right(1,2)

Output

Result
0

48 - binary_xor()

Learn how to use the binary_xor() function to perform the bitwise xor operation on a pair of values.

Returns a result of the bitwise xor operation of the two values.

Syntax

binary_xor(value1,value2)

Parameters

Name	Type	Required	Description
value1	`int`	✔️	The left-side value of the XOR operation.
value2	`int`	✔️	The right-side value of the XOR operation.

Returns

Returns logical XOR operation on a pair of numbers: value1 ^ value2.

Examples

binary_xor(1,1)

Output

Result
0

binary_xor(1,2)

Output

Result
3

49 - bitset_count_ones()

Learn how to use the bitset_count_ones() function to return the number of set bits in the binary representation of a number.

Returns the number of set bits in the binary representation of a number.

Syntax

bitset_count_ones(value)

Parameters

Name	Type	Required	Description
value	`int`	✔️	The value for which to calculate the number of set bits.

Returns

Returns the number of set bits in the binary representation of a number.

Example

// 42 = 32+8+2 : b'00101010' == 3 bits set
print ones = bitset_count_ones(42)

Output

ones
3

50 - case()

Learn how to use the case() function to evaluate a list of predicates and return the first expression for which the predicate evaluates to true.

Evaluates a list of predicates and returns the first result expression whose predicate is satisfied.

If none of the predicates return true, the result of the else expression is returned. All predicate arguments must be expressions that evaluate to a boolean value. All then arguments and the else argument must be of the same type.

Syntax

case(predicate_1, then_1, [predicate_2, then_2, …] else)

Parameters

Name	Type	Required	Description
predicate	`string`	✔️	An expression that evaluates to a `boolean` value.
then	`string`	✔️	An expression that gets evaluated and its value is returned from the function if predicate is the first predicate that evaluates to `true`.
else	`string`	✔️	An expression that gets evaluated and its value is returned from the function if neither of the predicate_i evaluate to `true`.

Returns

The value of the first then_i whose predicate_i evaluates to true, or the value of else if neither of the predicates are satisfied.

Example

range Size from 1 to 15 step 2
| extend bucket = case(Size <= 3, "Small", 
                       Size <= 10, "Medium", 
                       "Large")

Output

Size	bucket
1	Small
3	Small
5	Medium
7	Medium
9	Medium
11	Large
13	Large
15	Large

51 - ceiling()

Learn how to use the ceiling() function to calculate the smallest integer greater than, or equal to, the specified numeric expression.

Calculates the smallest integer greater than, or equal to, the specified numeric expression.

Syntax

ceiling(number)

Parameters

Name	Type	Required	Description
number	int, long, or real	✔️	The value to round up.

Returns

The smallest integer greater than, or equal to, the specified numeric expression.

Examples

print c1 = ceiling(-1.1), c2 = ceiling(0), c3 = ceiling(0.9)

Output

c1	c2	c3
-1	0	1

52 - coalesce()

Learn how to use the coalesce() function to evaluate a list of expressions to return the first non-null expression.

Evaluates a list of expressions and returns the first non-null (or non-empty for string) expression.

Syntax

coalesce(arg,arg_2,[arg_3,...])

Parameters

Name	Type	Required	Description
arg	scalar	✔️	The expression to be evaluated.

Returns

The value of the first arg whose value isn’t null (or not-empty for string expressions).

Example

print result=coalesce(tolong("not a number"), tolong("42"), 33)

Output

result
42

53 - column_ifexists()

Learn how to use the column_ifexists() function to return a reference to the column if it exists.

Displays the column, if the column exists. Otherwise, it returns the default column.

Syntax

column_ifexists(columnName,defaultValue)

Parameters

Name	Type	Required	Description
columnName	`string`	✔️	The name of the column to return.
defaultValue	scalar	✔️	The default column to return if columnName doesn’t exist in the table. This value can be any scalar expression. For example, a reference to another column.

Returns

If columnName exists, then returns the column. Otherwise, it returns the defaultValue column.

Example

This example returns the default State column, because a column named Capital doesn’t exist in the StormEvents table.

StormEvents | project column_ifexists("Capital", State)

Output

This output shows the first 10 rows of the default State column.

State
ATLANTIC SOUTH
FLORIDA
FLORIDA
GEORGIA
MISSISSIPPI
MISSISSIPPI
MISSISSIPPI
MISSISSIPPI
AMERICAN SAMOA
KENTUCKY
…

54 - convert_angle()

Learn how to use the convert_angle() function to convert an angle input value from one unit to another.

Convert an angle value from one unit to another.

Syntax

convert_angle(value,from,to)

Parameters

Name	Type	Required	Description
`value`	`real`	✔️	The value to be converted.
`from`	`string`	✔️	The unit to convert from. For possible values, see Conversion units.
`to`	`string`	✔️	The unit to convert to. For possible values, see Conversion units.

Conversion units

Arcminute
Arcsecond
Centiradian
Deciradian
Degree
Gradian
Microdegree
Microradian
Millidegree
Milliradian
Nanodegree
Nanoradian
NatoMil
Radian
Revolution
Tilt

Returns

Returns the input value converted from one angle unit to another. Invalid units return null.

Example

print result = convert_angle(1.2, 'Degree', 'Arcminute')

Output

result
72

55 - convert_energy()

Learn how to use the convert_energy() function to convert an energy input value from one unit to another.

Convert an energy value from one unit to another.

Syntax

convert_energy(value,from,to)

Parameters

Name	Type	Required	Description
value	`real`	✔️	The value to be converted.
from	`string`	✔️	The unit to convert from. For possible values, see Conversion units.
to	`string`	✔️	The unit to convert to. For possible values, see Conversion units.

Conversion units

BritishThermalUnit
Calorie
DecathermEc
DecathermImperial
DecathermUs
ElectronVolt
Erg
FootPound
GigabritishThermalUnit
GigaelectronVolt
Gigajoule
GigawattDay
GigawattHour
HorsepowerHour
Joule
KilobritishThermalUnit
Kilocalorie
KiloelectronVolt
Kilojoule
KilowattDay
KilowattHour
MegabritishThermalUnit
Megacalorie
MegaelectronVolt
Megajoule
MegawattDay
MegawattHour
Millijoule
TeraelectronVolt
TerawattDay
TerawattHour
ThermEc
ThermImperial
ThermUs
WattDay
WattHour

Returns

Returns the input value converted from one energy unit to another. Invalid units return null.

Example

print result = convert_energy(1.2, 'Joule', 'BritishThermalUnit')

Output

result
0.00113738054437598

56 - convert_force()

Learn how to use the convert_force() function to convert a force input value from one unit to another.

Convert a force value from one unit to another.

Syntax

convert_force(value,from,to)

Parameters

Name	Type	Required	Description
value	`real`	✔️	The value to be converted.
from	`string`	✔️	The unit to convert from. For possible values, see Conversion units.
to	`string`	✔️	The unit to convert to. For possible values, see Conversion units.

Conversion units

Decanewton
Dyn
KilogramForce
Kilonewton
KiloPond
KilopoundForce
Meganewton
Micronewton
Millinewton
Newton
OunceForce
Poundal
PoundForce
ShortTonForce
TonneForce

Returns

Returns the input value converted from one force unit to another. Invalid units return null.

Example

print result = convert_force(1.2, 'Newton', 'Decanewton')

Output

result
0.12

57 - convert_length()

Learn how to use the convert_length() function to convert a length input value from one unit to another.

Convert a length value from one unit to another.

Syntax

convert_length(value,from,to)

Parameters

Name	Type	Required	Description
value	`real`	✔️	The value to be converted.
from	`string`	✔️	The unit to convert from. For possible values, see Conversion units.
to	`string`	✔️	The unit to convert to. For possible values, see Conversion units.

Conversion units

Angstrom
AstronomicalUnit
Centimeter
Chain
DataMile
Decameter
Decimeter
DtpPica
DtpPoint
Fathom
Foot
Hand
Hectometer
Inch
KilolightYear
Kilometer
Kiloparsec
LightYear
MegalightYear
Megaparsec
Meter
Microinch
Micrometer
Mil
Mile
Millimeter
Nanometer
NauticalMile
Parsec
PrinterPica
PrinterPoint
Shackle
SolarRadius
Twip
UsSurveyFoot
Yard

Returns

Returns the input value converted from one length unit to another. Invalid units return null.

Example

print result = convert_length(1.2, 'Meter', 'Foot')

Output

result
3.93700787401575

58 - convert_mass()

Learn how to use the convert_mass() function to convert a mass input value from one unit to another.

Convert a mass value from one unit to another.

Syntax

convert_mass(value,from,to)

Parameters

Name	Type	Required	Description
value	`real`	✔️	The value to be converted.
from	`string`	✔️	The unit to convert from. For possible values, see Conversion units.
to	`string`	✔️	The unit to convert to. For possible values, see Conversion units.

Conversion units

Centigram
Decagram
Decigram
EarthMass
Grain
Gram
Hectogram
Kilogram
Kilopound
Kilotonne
LongHundredweight
LongTon
Megapound
Megatonne
Microgram
Milligram
Nanogram
Ounce
Pound
ShortHundredweight
ShortTon
Slug
SolarMass
Stone
Tonne

Returns

Returns the input value converted from one mass unit to another. Invalid units return null.

Example

print result = convert_mass(1.2, 'Kilogram', 'Pound')

Output

result
2.64554714621853

59 - convert_speed()

Learn how to use the convert_speed() function to convert a speed input value from one unit to another.

Convert a speed value from one unit to another.

Syntax

convert_speed(value,from,to)

Parameters

Name	Type	Required	Description
value	`real`	✔️	The value to be converted.
from	`string`	✔️	The unit to convert from. For possible values, see Conversion units.
to	`string`	✔️	The unit to convert to. For possible values, see Conversion units.

Conversion units

CentimeterPerHour
CentimeterPerMinute
CentimeterPerSecond
DecimeterPerMinute
DecimeterPerSecond
FootPerHour
FootPerMinute
FootPerSecond
InchPerHour
InchPerMinute
InchPerSecond
KilometerPerHour
KilometerPerMinute
KilometerPerSecond
Knot
MeterPerHour
MeterPerMinute
MeterPerSecond
MicrometerPerMinute
MicrometerPerSecond
MilePerHour
MillimeterPerHour
MillimeterPerMinute
MillimeterPerSecond
NanometerPerMinute
NanometerPerSecond
UsSurveyFootPerHour
UsSurveyFootPerMinute
UsSurveyFootPerSecond
YardPerHour
YardPerMinute
YardPerSecond

Returns

Returns the input value converted from one speed unit to another. Invalid units return null.

Example

print result = convert_speed(1.2, 'MeterPerSecond', 'CentimeterPerHour')

Output

result
432000

60 - convert_temperature()

Learn how to use the convert_temperature() function to convert a temperature input value from one unit to another.

Convert a temperature value from one unit to another.

Syntax

convert_temperature(value,from,to)

Parameters

Name	Type	Required	Description
value	`real`	✔️	The value to be converted.
from	`string`	✔️	The unit to convert from. For possible values, see Conversion units.
to	`string`	✔️	The unit to convert to. For possible values, see Conversion units.

Conversion units

DegreeCelsius
DegreeDelisle
DegreeFahrenheit
DegreeNewton
DegreeRankine
DegreeReaumur
DegreeRoemer
Kelvin
MillidegreeCelsius
SolarTemperature

Returns

Returns the input value converted from one temperature unit to another. Invalid units return null.

Example

print result = convert_temperature(1.2, 'Kelvin', 'DegreeCelsius')

Output

result
-271.95

61 - convert_volume()

Learn how to use the convert_volume() function to convert a volume input value from one unit to another.

Convert a volume value from one unit to another.

Syntax

convert_volume(value,from,to)

Parameters

Name	Type	Required	Description
value	`real`	✔️	The value to be converted.
from	`string`	✔️	The unit to convert from. For possible values, see Conversion units.
to	`string`	✔️	The unit to convert to. For possible values, see Conversion units.

Conversion units

AcreFoot
AuTablespoon
BoardFoot
Centiliter
CubicCentimeter
CubicDecimeter
CubicFoot
CubicHectometer
CubicInch
CubicKilometer
CubicMeter
CubicMicrometer
CubicMile
CubicMillimeter
CubicYard
Decaliter
DecausGallon
Deciliter
DeciusGallon
HectocubicFoot
HectocubicMeter
Hectoliter
HectousGallon
ImperialBeerBarrel
ImperialGallon
ImperialOunce
ImperialPint
KilocubicFoot
KilocubicMeter
KiloimperialGallon
Kiloliter
KilousGallon
Liter
MegacubicFoot
MegaimperialGallon
Megaliter
MegausGallon
MetricCup
MetricTeaspoon
Microliter
Milliliter
OilBarrel
UkTablespoon
UsBeerBarrel
UsCustomaryCup
UsGallon
UsLegalCup
UsOunce
UsPint
UsQuart
UsTablespoon
UsTeaspoon

Returns

Returns the input value converted from one volume unit to another. Invalid units return null.

Example

print result = convert_volume(1.2, 'CubicMeter', 'AcreFoot')

Output

result
0.0009728568

62 - cos()

Learn how to use the cos() function to return the cosine of the input value.

Returns the cosine function value of the specified angle. The angle is specified in radians.

Syntax

cos(number)

Parameters

Name	Type	Required	Description
number	`real`	✔️	The value in radians for which to calculate the cosine.

Returns

The cosine of number of radians.

Example

print cos(1)

Output

result
0.54030230586813977

63 - cot()

Learn how to use the cot() function to calculate the trigonometric cotangent of the specified angle in radians.

Calculates the trigonometric cotangent of the specified angle, in radians.

Syntax

cot(number)

Parameters

Name	Type	Required	Description
number	`real`	✔️	The value for which to calculate the cotangent.

Returns

The cotangent function value for number.

Example

print cot(1)

Output

result
0.64209261593433065

64 - countof()

Learn how to use the countof() function to count the occurrences of a substring in a string.

Counts occurrences of a substring in a string. Plain string matches may overlap; regex matches don’t.

Syntax

countof(source, search [, kind])

Parameters

Name	Type	Required	Description
source	`string`	✔️	The value to search.
search	`string`	✔️	The value or regular expression to match inside source.
kind	`string`		The value `normal` or `regex`. The default is `normal`.

Returns

The number of times that the search value can be matched in the source string. Plain string matches may overlap; regex matches don’t.

Examples

Function call	Result
`countof("aaa", "a")`	3
`countof("aaaa", "aa")`	3 (not 2!)
`countof("ababa", "ab", "normal")`	2
`countof("ababa", "aba")`	2
`countof("ababa", "aba", "regex")`	1
`countof("abcabc", "a.c", "regex")`	2

65 - current_cluster_endpoint()

Learn how to use the current_cluster_endpoint() function to return the network endpoint of the cluster being queried as a string type value.

Returns the network endpoint (DNS name) of the current cluster being queried.

Returns the network endpoint (DNS name) of the current Eventhouse being queried.

Syntax

current_cluster_endpoint()

Returns

The network endpoint (DNS name) of the current cluster being queried, as a value of type string.

The network endpoint (DNS name) of the current Eventhouse being queried, as a value of type string.

Example

print strcat("This query executed on: ", current_cluster_endpoint())

66 - current_database()

Learn how to use the current_database() function to return the name of the database in scope as a string type value.

Returns the name of the database in scope (database that all query entities are resolved against if no other database is specified).

Syntax

current_database()

Returns

The name of the database in scope as a value of type string.

Example

print strcat("Database in scope: ", current_database())

67 - current_principal_details()

Learn how to use the current_principal_details() function to return the details of the principal running the query.

Returns details of the principal running the query.

Syntax

current_principal_details()

Returns

The details of the current principal as a dynamic. The following table describes the returned fields.

Field	Description
UserPrincipalName	The sign-in identifier for users. For more information, see UPN.
IdentityProvider	The source that validates the identity of the principal.
Authority	The Microsoft Entra tenant ID.
Mfa	Indicates the use of multifactor authentication. For more information, see Access token claims reference.
Type	The category of the principal: `aaduser`, `aadapp`, or `aadgroup`.
DisplayName	The user-friendly name for the principal that is displayed in the UI.
ObjectId	The Microsoft Entra object ID for the principal.
FQN	The Fully Qualified Name (FQN) of the principal. Valuable for security role management commands. For more information, see Referencing security principals.
Country	The user’s country or region. This property is returned if the information is present. The value is a standard two-letter country or region code, for example, FR, JP, and SZ.
TenantCountry	The resource tenant’s country or region, set at a tenant level by an admin. This property is returned if the information is present. The value is a standard two-letter country or region code, for example, FR, JP, and SZ.
TenantRegion	The region of the resource tenant. This property is returned if the information is present. The value is a standard two-letter country or region code, for example, FR, JP, and SZ.

Example

print details=current_principal_details()

Example output

details

{
“Country”: “DE”,
“TenantCountry”: “US”,
“TenantRegion”: “WW”,
“UserPrincipalName”: “user@fabrikam.com”,
“IdentityProvider”: “https://sts.windows.net”,
“Authority”: “aaaabbbb-0000-cccc-1111-dddd2222eeee”,
“Mfa”: “True”,
“Type”: “AadUser”,
“DisplayName”: “James Smith (upn: user@fabrikam.com)”,
“ObjectId”: “aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb”,
“FQN”: null,
“Notes”: null
}

68 - current_principal_is_member_of()

Learn how to use the current_principal_is_member_of() function to check the identity of the principal running the query.

Checks group membership or principal identity of the current principal running the query.

Syntax

current_principal_is_member_of(group)

Parameters

Name	Type	Required	Description
group	`dynamic`	✔️	An array of string literals in which each literal represents a Microsoft Entra principal. See examples for Microsoft Entra principals.

Returns

The function returns true if the current principal running the query is successfully matched for at least one input argument. If not, the function returns false.

Examples

print result=current_principal_is_member_of(
    'aaduser=user1@fabrikam.com', 
    'aadgroup=group1@fabrikam.com',
    'aadapp=66ad1332-3a94-4a69-9fa2-17732f093664;72f988bf-86f1-41af-91ab-2d7cd011db47'
    )

Output

result
false

Using dynamic array instead of multiple arguments:

print result=current_principal_is_member_of(
    dynamic([
    'aaduser=user1@fabrikam.com', 
    'aadgroup=group1@fabrikam.com',
    'aadapp=66ad1332-3a94-4a69-9fa2-17732f093664;72f988bf-86f1-41af-91ab-2d7cd011db47'
    ]))

Output

result
false

69 - current_principal()

Learn how to use the current_principal() function to return the name of the principal running the query.

Returns the current principal name that runs the query.

Syntax

current_principal()

Returns

The current principal fully qualified name (FQN) as a string.
The string format is:
PrinciplaType=PrincipalId;TenantId

Example

print fqn=current_principal()

Example output

fqn
aaduser=346e950e-4a62-42bf-96f5-4cf4eac3f11e;72f988bf-86f1-41af-91ab-2d7cd011db47

70 - cursor_after()

Learn how to use the cursor_after() function to compare the ingestion time of the records of a table against the database cursor time.

A predicate run over the records of a table to compare their ingestion time against a database cursor.

IngestionTime policy enabled.

Syntax

cursor_after(RHS)

Parameters

Name	Type	Required	Description
RHS	`string`	✔️	Either an empty string literal or a valid database cursor value.

Returns

A scalar value of type bool that indicates whether the record was ingested after the database cursor RHS (true) or not (false).

database cursors

71 - cursor_before_or_at()

Learn how to use the cursor_before_or_at() function to compare the ingestion time of the records of a table against the database cursor time.

A predicate function run over the records of a table to compare their ingestion time against the database cursor time.

IngestionTime policy enabled.

Syntax

cursor_before_or_at(RHS)

Parameters

Name	Type	Required	Description
RHS	`string`	✔️	Either an empty string literal or a valid database cursor value.

Returns

A scalar value of type bool that indicates whether the record was ingested before or at the database cursor RHS (true) or not (false).

database cursors

72 - cursor_current()

Learn how to use the cursor_current() function to return a string type value.

Retrieves the current value of the cursor of the database in scope.

Syntax

cursor_current()

Returns

Returns a single value of type string that encodes the current value of the cursor of the database in scope.

database cursors

73 - datetime_add()

Learn how to use the datetime_add() function to calculate a new datetime.

Calculates a new datetime from a specified period multiplied by a specified amount, added to, or subtracted from a specified datetime.

Syntax

datetime_add(period,amount,datetime)

Parameters

Name	Type	Required	Description
period	`string`	✔️	The length of time by which to increment.
amount	`int`	✔️	The number of periods to add to or subtract from datetime.
datetime	`datetime`	✔️	The date to increment by the result of the period x amount calculation.

Possible values of period:

Year
Quarter
Month
Week
Day
Hour
Minute
Second
Millisecond
Microsecond
Nanosecond

Returns

A datetime after a certain time/date interval has been added.

Examples

Period

print  year = datetime_add('year',1,make_datetime(2017,1,1)),
quarter = datetime_add('quarter',1,make_datetime(2017,1,1)),
month = datetime_add('month',1,make_datetime(2017,1,1)),
week = datetime_add('week',1,make_datetime(2017,1,1)),
day = datetime_add('day',1,make_datetime(2017,1,1)),
hour = datetime_add('hour',1,make_datetime(2017,1,1)),
minute = datetime_add('minute',1,make_datetime(2017,1,1)),
second = datetime_add('second',1,make_datetime(2017,1,1))

Output

year	quarter	month	week	day	hour	minute	second
2018-01-01 00:00:00.0000000	2017-04-01 00:00:00.0000000	2017-02-01 00:00:00.0000000	2017-01-08 00:00:00.0000000	2017-01-02 00:00:00.0000000	2017-01-01 01:00:00.0000000	2017-01-01 00:01:00.0000000	2017-01-01 00:00:01.0000000

Amount

print  year = datetime_add('year',-5,make_datetime(2017,1,1)),
quarter = datetime_add('quarter',12,make_datetime(2017,1,1)),
month = datetime_add('month',-15,make_datetime(2017,1,1)),
week = datetime_add('week',100,make_datetime(2017,1,1))

Output

year	quarter	month	week
2012-01-01T00:00:00Z	2020-01-01T00:00:00Z	2015-10-01T00:00:00Z	2018-12-02T00:00:00Z

74 - datetime_diff()

Learn how to use the datetime_diff() function to calculate the period between two datetime values.

Calculates the number of the specified periods between two datetime values.

Syntax

datetime_diff(period,datetime1,datetime2)

Parameters

Name	Type	Required	Description
period	`string`	✔️	The measurement of time used to calculate the return value. See possible values.
datetime1	`datetime`	✔️	The left-hand side of the subtraction equation.
datetime2	`datetime`	✔️	The right-hand side of the subtraction equation.

Possible values of period

These values are case insensitive:

Year
Quarter
Month
Week
Day
Hour
Minute
Second
Millisecond
Microsecond
Nanosecond

Returns

An integer that represents the amount of periods in the result of subtraction (datetime1 - datetime2).

Example

print
year = datetime_diff('year',datetime(2017-01-01),datetime(2000-12-31)),
quarter = datetime_diff('quarter',datetime(2017-07-01),datetime(2017-03-30)),
month = datetime_diff('month',datetime(2017-01-01),datetime(2015-12-30)),
week = datetime_diff('week',datetime(2017-10-29 00:00),datetime(2017-09-30 23:59)),
day = datetime_diff('day',datetime(2017-10-29 00:00),datetime(2017-09-30 23:59)),
hour = datetime_diff('hour',datetime(2017-10-31 01:00),datetime(2017-10-30 23:59)),
minute = datetime_diff('minute',datetime(2017-10-30 23:05:01),datetime(2017-10-30 23:00:59)),
second = datetime_diff('second',datetime(2017-10-30 23:00:10.100),datetime(2017-10-30 23:00:00.900)),
millisecond = datetime_diff('millisecond',datetime(2017-10-30 23:00:00.200100),datetime(2017-10-30 23:00:00.100900)),
microsecond = datetime_diff('microsecond',datetime(2017-10-30 23:00:00.1009001),datetime(2017-10-30 23:00:00.1008009)),
nanosecond = datetime_diff('nanosecond',datetime(2017-10-30 23:00:00.0000000),datetime(2017-10-30 23:00:00.0000007))

Output

year	quarter	month	week	day	hour	minute	second	millisecond	microsecond	nanosecond
17	2	13	5	29	2	5	10	100	100	-700

75 - datetime_list_timezones()

Get a list of all supported timezones.

Returns a list of supported timezones a time-zone specification.

Syntax

datetime_list_timezones()

Parameters

None, the function doesn’t have any parameters.

Returns

A list of timezones supported by the Internet Assigned Numbers Authority (IANA) Time Zone Database.

Example

print datetime_list_timezones()

Output print datetime_list_timezones()

To convert from UTC to local, see datetime_utc_to_local()
To convert a datetime from local to UTC, see datetime_local_to_utc()
Timezones
format_datetime()

76 - datetime_local_to_utc()

Learn how to use the datetime_local_to_utc() function to convert local datetime to UTC datetime.

Converts local datetime to UTC datetime using a time-zone specification.

Syntax

datetime_local_to_utc(from,timezone)

Parameters

Name	Type	Required	Description
from	`datetime`	✔️	The local datetime to convert.
timezone	`string`	✔️	The timezone of the desired datetime. The value must be one of the supported timezones.

Returns

A UTC datetime that corresponds the local datetime in the specified timezone.

Example

datatable(local_dt: datetime, tz: string)
[ datetime(2020-02-02 20:02:20), 'US/Pacific', 
  datetime(2020-02-02 20:02:20), 'America/Chicago', 
  datetime(2020-02-02 20:02:20), 'Europe/Paris']
| extend utc_dt = datetime_local_to_utc(local_dt, tz)

Output

local_dt	tz	utc_dt
2020-02-02 20:02:20.0000000	Europe/Paris	2020-02-02 19:02:20.0000000
2020-02-02 20:02:20.0000000	America/Chicago	2020-02-03 02:02:20.0000000
2020-02-02 20:02:20.0000000	US/Pacific	2020-02-03 04:02:20.0000000

range Local from datetime(2022-03-27 01:00:00.0000000) to datetime(2022-03-27 04:00:00.0000000) step 1h
| extend UTC=datetime_local_to_utc(Local, 'Europe/Brussels')
| extend BackToLocal=datetime_utc_to_local(UTC, 'Europe/Brussels')
| extend diff=Local-BackToLocal

Local	UTC	BackToLocal	diff
2022-03-27 02:00:00.0000000	2022-03-27 00:00:00.0000000	2022-03-27 01:00:00.0000000	01:00:00
2022-03-27 01:00:00.0000000	2022-03-27 00:00:00.0000000	2022-03-27 01:00:00.0000000	00:00:00
2022-03-27 03:00:00.0000000	2022-03-27 01:00:00.0000000	2022-03-27 03:00:00.0000000	00:00:00
2022-03-27 04:00:00.0000000	2022-03-27 02:00:00.0000000	2022-03-27 04:00:00.0000000	00:00:00

To convert from UTC to local, see datetime_utc_to_local()
Timezones
List of supported timezones
format_datetime()

77 - datetime_part()

This article describes datetime_part().

Extracts the requested date part as an integer value.

Syntax

datetime_part(part,datetime)

Parameters

Name	Type	Required	Description
part	`string`	✔️	Measurement of time to extract from date. See possible values.
date	`datetime`	✔️	The full date from which to extract part.

Possible values of part

Year
Quarter
Month
week_of_year
Day
DayOfYear
Hour
Minute
Second
Millisecond
Microsecond
Nanosecond

Returns

An integer representing the extracted part.

Example

let dt = datetime(2017-10-30 01:02:03.7654321); 
print 
year = datetime_part("year", dt),
quarter = datetime_part("quarter", dt),
month = datetime_part("month", dt),
weekOfYear = datetime_part("week_of_year", dt),
day = datetime_part("day", dt),
dayOfYear = datetime_part("dayOfYear", dt),
hour = datetime_part("hour", dt),
minute = datetime_part("minute", dt),
second = datetime_part("second", dt),
millisecond = datetime_part("millisecond", dt),
microsecond = datetime_part("microsecond", dt),
nanosecond = datetime_part("nanosecond", dt)

Output

year	quarter	month	weekOfYear	day	dayOfYear	hour	minute	second	millisecond	microsecond	nanosecond
2017	4	10	44	30	303	1	2	3	765	765432	765432100

78 - datetime_utc_to_local()

This article describes the datetime_utc_to_local function.

Converts UTC datetime to local datetime using a time-zone specification.

Syntax

datetime_utc_to_local(from,timezone)

Parameters

Name	Type	Required	Description
from	`datetime`	✔️	The UTC datetime to convert.
timezone	`string`	✔️	The timezone to convert to. This value must be one of the supported timezones.

Returns

A local datetime in the timezone that corresponds the UTC datetime.

Example

print dt=now()
| extend pacific_dt = datetime_utc_to_local(dt, 'US/Pacific'), canberra_dt = datetime_utc_to_local(dt, 'Australia/Canberra')
| extend diff = pacific_dt - canberra_dt

Output

dt	pacific_dt	canberra_dt	diff
2022-07-11 22:18:48.4678620	2022-07-11 15:18:48.4678620	2022-07-12 08:18:48.4678620	-17:00:00

To convert a datetime from local to UTC, see datetime_local_to_utc()
Timezones
List of supported timezones
format_datetime()

79 - dayofmonth()

Learn how to use the dayofmonth() function to return an integer representing the day of the month.

Returns an integer representing the day number of the given datetime.

Syntax

dayofmonth(date)

Parameters

Name	Type	Required	Description
date	`datetime`	✔️	The datetime used to extract the day number.

Returns

An integer representing the day number of the given datetime.

Example

dayofmonth(datetime(2015-12-14))

Output

result
14

80 - dayofweek()

Learn how to use the dayofweek() function to return the timespan since the preceding Sunday.

Returns the number of days since the preceding Sunday, as a timespan.

To convert timespan to int, see Convert timespan to integer.

Syntax

dayofweek(date)

Parameters

Name	Type	Required	Description
date	`datetime`	✔️	The datetime for which to determine the day of week.

Returns

The timespan since midnight at the beginning of the preceding Sunday, rounded down to an integer number of days.

Examples

The following example returns 0, indicating that the specified datetime is a Sunday.

print
Timespan = dayofweek(datetime(1947-11-30 10:00:05))

Output

Timespan
00:00:00

The following example returns 1, indicating that the specified datetime is a Monday.

print
Timespan = dayofweek(datetime(1970-05-11))

Output

Timespan
1.00:00:00

Convert timespan to integer

The following example returns the number of days both as a timespan and as data type int.

let dow=dayofweek(datetime(1970-5-12));
print Timespan = dow, Integer = toint(dow/1d)

Output

Timespan	Integer
2.00:00:00	2

The timespan data type

81 - dayofyear()

Learn how to use the dayofyear() function to return the day number of the given year.

Returns the integer number represents the day number of the given year.

Syntax

dayofyear(date)

Parameters

Name	Type	Required	Description
date	`datetime`	✔️	The datetime for which to determine the day number.

Returns

The day number of the given year.

Example

dayofyear(datetime(2015-12-14))

Output

result
348

82 - dcount_hll()

Learn how to use the dcount_hll() function to calculate the distinct count from hyper log log (hll) intermediate calculation results.

Calculates the distinct count from results generated by hll or hll_merge.

Read about the underlying algorithm (HyperLogLog) and estimation accuracy.

Syntax

dcount_hll(hll)

Parameters

Name	Type	Required	Description
hll	`string`	✔️	An expression generated by hll or hll-merge to be used to find the distinct count.

Returns

Returns the distinct count of each value in hll.

Example

The following example shows the distinct count hll merged results.

StormEvents
| summarize hllRes = hll(DamageProperty) by bin(StartTime,10m)
| summarize hllMerged = hll_merge(hllRes)
| project dcount_hll(hllMerged)

Output

dcount_hll_hllMerged
315

Estimation accuracy

83 - degrees()

Learn how to use the degrees() function to convert angle values from radians to values in degrees.

Converts angle value in radians into value in degrees, using the formula degrees = (180 / PI ) * angle_in_radians.

Syntax

degrees(radians)

Parameters

Name	Type	Required	Description
radians	`real`	✔️	The angle in radians to convert to degrees.

Returns

The corresponding angle in degrees for an angle specified in radians.

Examples

print degrees0 = degrees(pi()/4), degrees1 = degrees(pi()*1.5), degrees2 = degrees(0)

Output

degrees0	degrees1	degrees2
45	270	0

84 - dynamic_to_json()

Learn how to use the dynamic_to_json() function to convert a scalar value of type dynamic to a canonical string representation.

Converts a scalar value of type dynamic to a canonical string representation.

Syntax

dynamic_to_json(expr)

Parameters

Name	Type	Required	Description
expr	`dynamic`	✔️	The expression to convert to string representation.

Returns

Returns a canonical representation of the input as a value of type string, according to the following rules:

If the input is a scalar value of type other than dynamic, the output is the application of tostring() to that value.
If the input is an array of values, the output is composed of the characters [, ,, and ] interspersed with the canonical representation described here of each array element.
If the input is a property bag, the output is composed of the characters {, ,, and } interspersed with the colon (:)-delimited name/value pairs of the properties. The pairs are sorted by the names, and the values are in the canonical representation described here of each array element.

Example

let bag1 = dynamic_to_json(
  dynamic({
    'Y10':dynamic({}),
    'X8': dynamic({
      'c3':1,
      'd8':5,
      'a4':6
    }),
    'D1':114,
    'A1':12,
    'B1':2,
    'C1':3,
    'A14':[15, 13, 18]
}));
let bag2 = dynamic_to_json(
  dynamic({
    'X8': dynamic({
      'a4':6,
      'c3':1,
      'd8':5
    }),
    'A14':[15, 13, 18],
    'C1':3,
    'B1':2,
    'Y10': dynamic({}),
    'A1':12, 'D1':114
  }));
print AreEqual=bag1 == bag2, Result=bag1

Output

AreEqual	Result
true	{“A1”:12,“A14”:[15,13,18],“B1”:2,“C1”:3,“D1”:114,“X8”:{“a4”:6,“c3”:1,“d8”:5},“Y10”:{}}

85 - endofday()

Learn how to use the endofday() function to return a datetime representing the end of the day for the given date value.

Returns the end of the day containing the date, shifted by an offset, if provided.

Syntax

endofday(date [, offset])

Parameters

Name	Type	Required	Description
date	`datetime`	✔️	The date to find the end of.
offset	`int`		The number of offset days from date. Default is 0.

Returns

A datetime representing the end of the day for the given date value, with the offset, if specified.

Example

  range offset from -1 to 1 step 1
 | project dayEnd = endofday(datetime(2017-01-01 10:10:17), offset)

Output

dayEnd
2016-12-31 23:59:59.9999999
2017-01-01 23:59:59.9999999
2017-01-02 23:59:59.9999999

86 - endofmonth()

Learn how to use the endofmonth() function to return a datetime representing the end of the month for the given date value.

Returns the end of the month containing the date, shifted by an offset, if provided.

Syntax

endofmonth(date [, offset])

Parameters

Name	Type	Required	Description
date	`datetime`	✔️	The date used to find the end of the month.
offset	`int`		The number of offset months from date. Default is 0.

Returns

A datetime representing the end of the month for the given date value, with the offset, if specified.

Example

  range offset from -1 to 1 step 1
 | project monthEnd = endofmonth(datetime(2017-01-01 10:10:17), offset)

Output

monthEnd
2016-12-31 23:59:59.9999999
2017-01-31 23:59:59.9999999
2017-02-28 23:59:59.9999999

87 - endofweek()

Learn how to use the endofweek() function to return a datetime representing the end of the week for the given date value.

Returns the end of the week containing the date, shifted by an offset, if provided.

Last day of the week is considered to be a Saturday.

Syntax

endofweek(date [, offset])

Parameters

Name	Type	Required	Description
date	`datetime`	✔️	The date used to find the end of the week.
offset	`int`		The number of offset weeks from date. Default is 0.

Returns

A datetime representing the end of the week for the given date value, with the offset, if specified.

Example

  range offset from -1 to 1 step 1
 | project weekEnd = endofweek(datetime(2017-01-01 10:10:17), offset)

Output

weekEnd
2016-12-31 23:59:59.9999999
2017-01-07 23:59:59.9999999
2017-01-14 23:59:59.9999999

88 - endofyear()

Learn how to use the endofyear() function to return a datetime representing the end of the year for the given date value.

Returns the end of the year containing the date, shifted by an offset, if provided.

Syntax

endofyear(date [, offset])

Parameters

Name	Type	Required	Description
date	`datetime`	✔️	The date used to find the end of the year.
offset	`int`		The number of offset years from date. Default is 0.

Returns

A datetime representing the end of the year for the given date value, with the &offset, if specified.

Example

  range offset from -1 to 1 step 1
 | project yearEnd = endofyear(datetime(2017-01-01 10:10:17), offset)

Output

yearEnd
2016-12-31 23:59:59.9999999
2017-12-31 23:59:59.9999999
2018-12-31 23:59:59.9999999

89 - erf()

This article describes erf() function.

Returns the error function of the input.

Syntax

erf(x)

Parameters

Name	Type	Required	Description
x	`real`	✔️	The value for which to calculate the function.

Returns

Error function of x.

Example

range x from -3 to 3 step 1
| extend erf_x = erf(x)

x	erf_x
-3	-0.999977909503001
-2	-0.995322265018953
-1	-0.842700792949715
0	0
1	0.842700792949715
2	0.995322265018953
3	0.999977909503001

90 - erfc()

This article describes erfc() function.

Returns the complementary error function of the input.

Syntax

erfc(x)

Parameters

Name	Type	Required	Description
x	`real`	✔️	The value for which to calculate the function.

Returns

Complementary error function of x.

Example

range x from -3 to 3 step 1
| extend erf_x = erfc(x)

x	erf_x
-3	1.999977909503001
-2	1.995322265018953
-1	1.842700792949715
0	1
1	0.157299207050285
2	0.00467773498104727
3	2.20904969985854E-05

91 - estimate_data_size()

Learn how to use the estimate_data_size() function to return an estimated data size in bytes of the selected columns of the tabular expression.

Returns an estimated data size in bytes of the selected columns of the tabular expression.

Syntax

estimate_data_size(columns)

Parameters

Name	Type	Required	Description
columns	`string`	✔️	One or more comma-separated column references in the source tabular expression to use for data size estimation. To include all columns, use the wildcard (`*`) character.

Returns

The estimated data size in bytes of the referenced columns. Estimation is based on data types and actual values. For example, the data size for the string '{"a":"bcd"}' is smaller than the dynamic value dynamic({"a":"bcd"}) because the latter’s internal representation is more complex than that of a string.

Example

The following example calculates the total data size using estimate_data_size().

range x from 1 to 10 step 1                    // x (long) is 8 
| extend Text = '1234567890'                   // Text length is 10  
| summarize Total=sum(estimate_data_size(*))   // (8+10)x10 = 180

Output

Total
180

Estimate table size

92 - exp()

Learn how to use the exp() function to return the base-e exponential value of x.

The base-e exponential function of x, which is e raised to the power x: e^x.

Syntax

exp(x)

Parameters

Name	Type	Required	Description
x	`real`	✔️	The value of the exponent.

Returns

The exponential value of x.

For natural (base-e) logarithms, see log().
For exponential functions of base-2 and base-10 logarithms, see exp2(), exp10().

93 - exp10()

Learn how to use the exp10() function to return the base-10 exponential value of x.

The base-10 exponential function of x, which is 10 raised to the power x: 10^x.

Syntax

exp10(x)

Parameters

Name	Type	Required	Description
x	`real`	✔️	The value of the exponent.

Returns

The exponential value of x.

For natural (base-10) logarithms, see log10().
For exponential functions of base-e and base-2 logarithms, see exp(), exp2().

94 - exp2()

Learn how to use the exp2() function to return the base-2 exponential value of x.

The base-2 exponential function of x, which is 2 raised to the power x: 2^x.

Syntax

exp2(x)

Parameters

Name	Type	Required	Description
x	`real`	✔️	The value of the exponent.

Returns

The exponential value of x.

For natural (base-2) logarithms, see log2().
For exponential functions of base-e and base-10 logarithms, see exp(), exp10().

95 - extent_id()

Learn how to use the extent_id() function to return an identifier of the current record’s data shard

Returns a unique identifier that identifies the data shard (“extent”) that the current record resides in at the time the query was run.

Applying this function to calculated data that isn’t attached to a data shard returns an empty guid (all zeros).

Syntax

extent_id()

Returns

A value of type guid that identifies the current record’s data shard at the time the query was run, or an empty guid (all zeros).

Example

The following example shows how to get a list of all the data shards that currently have records from an hour ago with a specific value for the column ActivityId. It demonstrates that some query operators (here, the where operator, and also extend and project) preserve the information about the data shard hosting the record.

T
| where Timestamp > ago(1h)
| where ActivityId == 'dd0595d4-183e-494e-b88e-54c52fe90e5a'
| extend eid=extent_id()
| summarize by eid

96 - extent_tags()

Learn how to use the extent_tags() function to return a dynamic array of the data shard that the current record is in.

Returns a dynamic array with the extent tags of the extent that the current record is in.

If you apply this function to calculated data, which isn’t attached to a data shard, returns an empty value.

Syntax

extent_tags()

Returns

A value of type dynamic that is an array holding the current record’s extent tags, or an empty value.

Examples

Some query operators preserve the information about the data shard hosting the record. These operators include where, extend, and project. The following example shows how to get a list the tags of all the data shards that have records from an hour ago, with a specific value for the column ActivityId.

T
| where Timestamp > ago(1h)
| where ActivityId == 'dd0595d4-183e-494e-b88e-54c52fe90e5a'
| extend tags = extent_tags()
| summarize by tostring(tags)

The following example shows how to obtain a count of all records from the last hour, which are stored in extents tagged with the tag MyTag(and potentially other tags), but not tagged with the tag drop-by:MyOtherTag.

T
| where Timestamp > ago(1h)
| extend Tags = extent_tags()
| where Tags has_cs 'MyTag' and Tags !has_cs 'drop-by:MyOtherTag'
| count

97 - extract_all()

Lean how to use the extract_all() to extract all matches for a regular expression from a source string.

Get all matches for a regular expression from a source string. Optionally, retrieve a subset of matching groups.

print extract_all(@"(\d+)", "a set of numbers: 123, 567 and 789") // results with the dynamic array ["123", "567", "789"]

Syntax

extract_all(regex, [captureGroups,] source)

Parameters

Name	Type	Required	Description
regex	`string`	✔️	A regular expression containing between one and 16 capture groups.
captureGroups	`dynamic`		An array that indicates the capture groups to extract. Valid values are from 1 to the number of capturing groups in the regular expression. Named capture groups are allowed as well. See examples.
source	`string`	✔️	The string to search.

Returns

If regex finds a match in source: Returns dynamic array including all matches against the indicated capture groups captureGroups, or all of capturing groups in the regex.
If number of captureGroups is 1: The returned array has a single dimension of matched values.
If number of captureGroups is more than 1: The returned array is a two-dimensional collection of multi-value matches per captureGroups selection, or all capture groups present in the regex if captureGroups is omitted.
If there’s no match: null.

Examples

Extract a single capture group

The following query returns hex-byte representation (two hex-digits) of the GUID.

print Id="82b8be2d-dfa7-4bd1-8f63-24ad26d31449"
| extend guid_bytes = extract_all(@"([\da-f]{2})", Id)

Output

ID	guid_bytes
82b8be2d-dfa7-4bd1-8f63-24ad26d31449	[“82”,“b8”,“be”,“2d”,“df”,“a7”,“4b”,“d1”,“8f”,“63”,“24”,“ad”,“26”,“d3”,“14”,“49”]

Extract several capture groups

The following query uses a regular expression with three capturing groups to split each GUID part into first letter, last letter, and whatever is in the middle.

print Id="82b8be2d-dfa7-4bd1-8f63-24ad26d31449"
| extend guid_bytes = extract_all(@"(\w)(\w+)(\w)", Id)

Output

ID	guid_bytes
82b8be2d-dfa7-4bd1-8f63-24ad26d31449	[[“8”,“2b8be2”,“d”],[“d”,“fa”,“7”],[“4”,“bd”,“1”],[“8”,“f6”,“3”],[“2”,“4ad26d3144”,“9”]]

Extract a subset of capture groups

The following query selects a subset of capturing groups.

The regular expression matches the first letter, last letter, and all the rest.

The captureGroups parameter is used to select only the first and the last parts.

print Id="82b8be2d-dfa7-4bd1-8f63-24ad26d31449"
| extend guid_bytes = extract_all(@"(\w)(\w+)(\w)", dynamic([1,3]), Id)

Output

ID	guid_bytes
82b8be2d-dfa7-4bd1-8f63-24ad26d31449	[[“8”,“d”],[“d”,“7”],[“4”,“1”],[“8”,“3”],[“2”,“9”]]

Using named capture groups

The captureGroups in the following query uses both capture group indexes and named capture group references to fetch matching values.

print Id="82b8be2d-dfa7-4bd1-8f63-24ad26d31449"
| extend guid_bytes = extract_all(@"(?P<first>\w)(?P<middle>\w+)(?P<last>\w)", dynamic(['first',2,'last']), Id)

Output

ID	guid_bytes
82b8be2d-dfa7-4bd1-8f63-24ad26d31449	[[“8”,“2b8be2”,“d”],[“d”,“fa”,“7”],[“4”,“bd”,“1”],[“8”,“f6”,“3”],[“2”,“4ad26d3144”,“9”]]

98 - extract_json()

Learn how to use the extract_json() function to get a specified element out of a JSON text using a path expression.

Get a specified element out of a JSON text using a path expression.

Optionally convert the extracted string to a specific type.

Syntax

extract_json(jsonPath, dataSource, type)

Parameters

Name	Type	Required	Description
jsonPath	`string`	✔️	A JSONPath that defines an accessor into the JSON document.
dataSource	`string`	✔️	A JSON document.
type	`string`		An optional type literal. If provided, the extracted value is converted to this type. For example, `typeof(long)` will convert the extracted value to a `long`.

Performance tips

Apply where-clauses before using extract_json().
Consider using a regular expression match with extract instead. This can run very much faster, and is effective if the JSON is produced from a template.
Use parse_json() if you need to extract more than one value from the JSON.
Consider having the JSON parsed at ingestion by declaring the type of the column to be dynamic.

Returns

This function performs a JSONPath query into dataSource, which contains a valid JSON string, optionally converting that value to another type depending on the third argument.

Example

let json = '{"name": "John", "age": 30, "city": "New York"}';
print extract_json("$.name", json, typeof(string));

Output

print_0
John

99 - extract()

Learn how to use the extract() function to get a match for a regular expression from a source string.

Get a match for a regular expression from a source string.

Optionally, convert the extracted substring to the indicated type.

Syntax

extract(regex, captureGroup, source [, typeLiteral])

Parameters

Name	Type	Required	Description
regex	`string`	✔️	A regular expression.
captureGroup	`int`	✔️	The capture group to extract. 0 stands for the entire match, 1 for the value matched by the first ‘(‘parenthesis’)’ in the regular expression, and 2 or more for subsequent parentheses.
source	`string`	✔️	The string to search.
typeLiteral	`string`		If provided, the extracted substring is converted to this type. For example, `typeof(long)`.

Returns

If regex finds a match in source: the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral.

If there’s no match, or the type conversion fails: null.

Examples

Extract month from datetime string

The following query extracts the month from the string Dates and returns a table with the date string and the month.

let Dates = datatable(DateString: string)
[
    "15-12-2024",
    "21-07-2023",
    "10-03-2022"
];
Dates
| extend Month = extract(@"-(\d{2})-", 1, DateString, typeof(int))
| project DateString, Month

Output

DateString	Month
15-12-2024	12
21-07-2023	7
10-03-2022	3

Extract username from a string

The following example returns the username from the string. The regular expression ([^,]+) matches the text following “User: " up to the next comma, effectively extracting the username.

let Text = "User: JohnDoe, Email: johndoe@example.com, Age: 29";
print UserName = extract("User: ([^,]+)", 1, Text)

Output

UserName
JohnDoe

100 - format_bytes()

Learn how to use the format_bytes() function to format a number as a string representing the data size in bytes.

Formats a number as a string representing data size in bytes.

Syntax

format_bytes(size [, precision [, units]])

Parameters

Name	Type	Required	Description
size	`real`	✔️	The value to be formatted as data size in bytes.
precision	`int`		The number of digits the value will be rounded to after the decimal point. The default is 0.
units	`string`		The units of the target data size: `Bytes`, `KB`, `MB`, `GB`, `TB`, `PB`, or `EB`. If this parameter is empty, the units will be auto-selected based on input value.

Returns

A string of size formatted as data size in bytes.

Examples

print 
v1 = format_bytes(564),
v2 = format_bytes(10332, 1),
v3 = format_bytes(20010332),
v4 = format_bytes(20010332, 2),
v5 = format_bytes(20010332, 0, "KB")

Output

v1	v2	v3	v4	v5
564 Bytes	10.1 KB	19 MB	19.08 MB	19541 KB

Estimate table size

101 - format_datetime()

Learn how to use the format_datetime() function to format a datetime according to the provided format.

Formats a datetime according to the provided format.

Syntax

format_datetime(date , format)

Parameters

Name	Type	Required	Description
date	`datetime`	✔️	The value to format.
format	`string`	✔️	The output format comprised of one or more of the supported format elements.

Supported format elements

The format parameter should include one or more of the following elements:

Format specifier	Description	Examples
`d`	The day of the month, from 1 through 31.	2009-06-01T13:45:30 -> 1, 2009-06-15T13:45:30 -> 15
`dd`	The day of the month, from 01 through 31.	2009-06-01T13:45:30 -> 01, 2009-06-15T13:45:30 -> 15
`f`	The tenths of a second in a date and time value.	2009-06-15T13:45:30.6170000 -> 6, 2009-06-15T13:45:30.05 -> 0
`ff`	The hundredths of a second in a date and time value.	2009-06-15T13:45:30.6170000 -> 61, 2009-06-15T13:45:30.0050000 -> 00
`fff`	The milliseconds in a date and time value.	6/15/2009 13:45:30.617 -> 617, 6/15/2009 13:45:30.0005 -> 000
`ffff`	The ten thousandths of a second in a date and time value.	2009-06-15T13:45:30.6175000 -> 6175, 2009-06-15T13:45:30.0000500 -> 0000
`fffff`	The hundred thousandths of a second in a date and time value.	2009-06-15T13:45:30.6175400 -> 61754, 2009-06-15T13:45:30.000005 -> 00000
`ffffff`	The millionths of a second in a date and time value.	2009-06-15T13:45:30.6175420 -> 617542, 2009-06-15T13:45:30.0000005 -> 000000
`fffffff`	The ten millionths of a second in a date and time value.	2009-06-15T13:45:30.6175425 -> 6175425, 2009-06-15T13:45:30.0001150 -> 0001150
`F`	If non-zero, the tenths of a second in a date and time value.	2009-06-15T13:45:30.6170000 -> 6, 2009-06-15T13:45:30.0500000 -> (no output)
`FF`	If non-zero, the hundredths of a second in a date and time value.	2009-06-15T13:45:30.6170000 -> 61, 2009-06-15T13:45:30.0050000 -> (no output)
`FFF`	If non-zero, the milliseconds in a date and time value.	2009-06-15T13:45:30.6170000 -> 617, 2009-06-15T13:45:30.0005000 -> (no output)
`FFFF`	If non-zero, the ten thousandths of a second in a date and time value.	2009-06-15T13:45:30.5275000 -> 5275, 2009-06-15T13:45:30.0000500 -> (no output)
`FFFFF`	If non-zero, the hundred thousandths of a second in a date and time value.	2009-06-15T13:45:30.6175400 -> 61754, 2009-06-15T13:45:30.0000050 -> (no output)
`FFFFFF`	If non-zero, the millionths of a second in a date and time value.	2009-06-15T13:45:30.6175420 -> 617542, 2009-06-15T13:45:30.0000005 -> (no output)
`FFFFFFF`	If non-zero, the ten millionths of a second in a date and time value.	2009-06-15T13:45:30.6175425 -> 6175425, 2009-06-15T13:45:30.0001150 -> 000115
`h`	The hour, using a 12-hour clock from 1 to 12.	2009-06-15T01:45:30 -> 1, 2009-06-15T13:45:30 -> 1
`hh`	The hour, using a 12-hour clock from 01 to 12.	2009-06-15T01:45:30 -> 01, 2009-06-15T13:45:30 -> 01
`H`	The hour, using a 24-hour clock from 0 to 23.	2009-06-15T01:45:30 -> 1, 2009-06-15T13:45:30 -> 13
`HH`	The hour, using a 24-hour clock from 00 to 23.	2009-06-15T01:45:30 -> 01, 2009-06-15T13:45:30 -> 13
`m`	The minute, from 0 through 59.	2009-06-15T01:09:30 -> 9, 2009-06-15T13:29:30 -> 29
`mm`	The minute, from 00 through 59.	2009-06-15T01:09:30 -> 09, 2009-06-15T01:45:30 -> 45
`M`	The month, from 1 through 12.	2009-06-15T13:45:30 -> 6
`MM`	The month, from 01 through 12.	2009-06-15T13:45:30 -> 06
`s`	The second, from 0 through 59.	2009-06-15T13:45:09 -> 9
`ss`	The second, from 00 through 59.	2009-06-15T13:45:09 -> 09
`y`	The year, from 0 to 99.	0001-01-01T00:00:00 -> 1, 0900-01-01T00:00:00 -> 0, 1900-01-01T00:00:00 -> 0, 2009-06-15T13:45:30 -> 9, 2019-06-15T13:45:30 -> 19
`yy`	The year, from 00 to 99.	0001-01-01T00:00:00 -> 01, 0900-01-01T00:00:00 -> 00, 1900-01-01T00:00:00 -> 00, 2019-06-15T13:45:30 -> 19
`yyyy`	The year as a four-digit number.	0001-01-01T00:00:00 -> 0001, 0900-01-01T00:00:00 -> 0900, 1900-01-01T00:00:00 -> 1900, 2009-06-15T13:45:30 -> 2009
`tt`	AM / PM hours	2009-06-15T13:45:09 -> PM

Supported delimiters

The format specifier can include the following delimiters:

Delimiter	Comment
`' '`	Space
`'/'`
`'-'`	Dash
`':'`
`','`
`'.'`
`'_'`
`'['`
`']'`

Returns

A string with date formatted as specified by format.

Examples

The following three examples return differently formatted datetimes.

let dt = datetime(2017-01-29 09:00:05);
print 
v1=format_datetime(dt,'yy-MM-dd [HH:mm:ss]')

Output

v1
17-01-29 [09:00:05]

let dt = datetime(2017-01-29 09:00:05);
print 
v2=format_datetime(dt, 'yyyy-M-dd [H:mm:ss]')

Output

v2
2017-1-29 [9:00:05]

let dt = datetime(2017-01-29 09:00:05);
print 
v3=format_datetime(dt, 'yy-MM-dd [hh:mm:ss tt]')

Output

v3
17-01-29 [09:00:05 AM]

To convert from UTC to local, see datetime_utc_to_local()
To convert a datetime from local to UTC, see datetime_local_to_utc()

102 - format_ipv4_mask()

Learn how to use the format_ipv4_mask() function to parse the input with a netmask and return a string representing the IPv4 address in CIDR notation.

Parses the input with a netmask and returns a string representing the IPv4 address in CIDR notation.

Syntax

format_ipv4_mask(ip [, prefix])

Parameters

Name	Type	Required	Description
ip	`string`	✔️	The IPv4 address as CIDR notation. The format may be a string or number representation in big-endian order.
prefix	`int`		An integer from 0 to 32 representing the number of most-significant bits that are taken into account. If unspecified, all 32 bit-masks are used.

Returns

If conversion is successful, the result will be a string representing IPv4 address as CIDR notation. If conversion isn’t successful, the result will be an empty string.

Examples

datatable(address:string, mask:long)
[
 '192.168.1.1', 24,          
 '192.168.1.1', 32,          
 '192.168.1.1/24', 32,       
 '192.168.1.1/24', long(-1), 
]
| extend result = format_ipv4(address, mask), 
         result_mask = format_ipv4_mask(address, mask)

Output

address	mask	result	result_mask
192.168.1.1	24	192.168.1.0	192.168.1.0/24
192.168.1.1	32	192.168.1.1	192.168.1.1/32
192.168.1.1/24	32	192.168.1.0	192.168.1.0/24
192.168.1.1/24	-1

For IPv4 address formatting without CIDR notation, see format_ipv4().
For a list of functions related to IP addresses, see IPv4 and IPv6 functions.

103 - format_ipv4()

Learn how to use the format_ipv4() function to parse the input with a netmask and return a string representing the IPv4 address.

Parses the input with a netmask and returns a string representing the IPv4 address.

Syntax

format_ipv4(ip [, prefix])

Parameters

Name	Type	Required	Description
ip	`string`	✔️	The IPv4 address. The format may be a string or number representation in big-endian order.
prefix	`int`		An integer from 0 to 32 representing the number of most-significant bits that are taken into account. If unspecified, all 32 bit-masks are used.

Returns

If conversion is successful, the result will be a string representing IPv4 address. If conversion isn’t successful, the result will be an empty string.

Examples

datatable(address:string, mask:long)
[
 '192.168.1.1', 24,          
 '192.168.1.1', 32,          
 '192.168.1.1/24', 32,       
 '192.168.1.1/24', long(-1), 
]
| extend result = format_ipv4(address, mask), 
         result_mask = format_ipv4_mask(address, mask)

Output

address	mask	result	result_mask
192.168.1.1	24	192.168.1.0	192.168.1.0/24
192.168.1.1	32	192.168.1.1	192.168.1.1/32
192.168.1.1/24	32	192.168.1.0	192.168.1.0/24
192.168.1.1/24	-1

For IPv4 address formatting including CIDR notation, see format_ipv4_mask().
For a list of functions related to IP addresses, see IPv4 and IPv6 functions.

104 - format_timespan()

Learn how to use the format_timespan() function to format a timespan according to the provided format.

Formats a timespan according to the provided format.

Syntax

format_timespan(timespan , format)

Parameters

Name	Type	Required	Description
timespan	`timespan`	✔️	The value to format.
format	`string`	✔️	The output format comprised of one or more of the supported format elements.

Supported format elements

Format specifier	Description	Examples
`d`-`dddddddd`	The number of whole days in the time interval. Padded with zeros if needed.	15.13:45:30: d -> 15, dd -> 15, ddd -> 015
`f`	The tenths of a second in the time interval.	15.13:45:30.6170000 -> 6, 15.13:45:30.05 -> 0
`ff`	The hundredths of a second in the time interval.	15.13:45:30.6170000 -> 61, 15.13:45:30.0050000 -> 00
`fff`	The milliseconds in the time interval.	6/15/2009 13:45:30.617 -> 617, 6/15/2009 13:45:30.0005 -> 000
`ffff`	The ten thousandths of a second in the time interval.	15.13:45:30.6175000 -> 6175, 15.13:45:30.0000500 -> 0000
`fffff`	The hundred thousandths of a second in the time interval.	15.13:45:30.6175400 -> 61754, 15.13:45:30.000005 -> 00000
`ffffff`	The millionths of a second in the time interval.	15.13:45:30.6175420 -> 617542, 15.13:45:30.0000005 -> 000000
`fffffff`	The ten millionths of a second in the time interval.	15.13:45:30.6175425 -> 6175425, 15.13:45:30.0001150 -> 0001150
`F`	If non-zero, the tenths of a second in the time interval.	15.13:45:30.6170000 -> 6, 15.13:45:30.0500000 -> (no output)
`FF`	If non-zero, the hundredths of a second in the time interval.	15.13:45:30.6170000 -> 61, 15.13:45:30.0050000 -> (no output)
`FFF`	If non-zero, the milliseconds in the time interval.	15.13:45:30.6170000 -> 617, 15.13:45:30.0005000 -> (no output)
`FFFF`	If non-zero, the ten thousandths of a second in the time interval.	15.13:45:30.5275000 -> 5275, 15.13:45:30.0000500 -> (no output)
`FFFFF`	If non-zero, the hundred thousandths of a second in the time interval.	15.13:45:30.6175400 -> 61754, 15.13:45:30.0000050 -> (no output)
`FFFFFF`	If non-zero, the millionths of a second in the time interval.	15.13:45:30.6175420 -> 617542, 15.13:45:30.0000005 -> (no output)
`FFFFFFF`	If non-zero, the ten millionths of a second in the time interval.	15.13:45:30.6175425 -> 6175425, 15.13:45:30.0001150 -> 000115
`H`	The hour, using a 24-hour clock from 0 to 23.	15.01:45:30 -> 1, 15.13:45:30 -> 13
`HH`	The hour, using a 24-hour clock from 00 to 23.	15.01:45:30 -> 01, 15.13:45:30 -> 13
`m`	The number of whole minutes in the time interval that aren’t included as part of hours or days. Single-digit minutes don’t have a leading zero.	15.01:09:30 -> 9, 15.13:29:30 -> 29
`mm`	The number of whole minutes in the time interval that aren’t included as part of hours or days. Single-digit minutes have a leading zero.	15.01:09:30 -> 09, 15.01:45:30 -> 45
`s`	The number of whole seconds in the time interval that aren’t included as part of hours, days, or minutes. Single-digit seconds don’t have a leading zero.	15.13:45:09 -> 9
`ss`	The number of whole seconds in the time interval that aren’t included as part of hours, days, or minutes. Single-digit seconds have a leading zero.	15.13:45:09 -> 09

Supported delimiters

The format specifier can include following delimiters:

Delimiter	Comment
`' '`	Space
`'/'`
`'-'`	Dash
`':'`
`','`
`'.'`
`'_'`
`'['`
`']'`

Returns

A string with timespan formatted as specified by format.

Examples

let t = time(29.09:00:05.12345);
print 
v1=format_timespan(t, 'dd.hh:mm:ss:FF'),
v2=format_timespan(t, 'ddd.h:mm:ss [fffffff]')

Output

v1	v2
29.09:00:05:12	029.9:00:05 [1234500]

105 - gamma()

Learn how to use the gamma() function to compute the gamma of the input parameter.

Computes the gamma function for the provided number.

Syntax

gamma(number)

Parameters

Name	Type	Required	Description
number	`real`	✔️	The number used to calculate the gamma function.

Returns

Gamma function of number.

For computing log-gamma function, see loggamma().

106 - geo_info_from_ip_address()

Learn how to use the geo_info_from_ip_address() function to retrieve geolocation information about IPv4 or IPv6 addresses.

Retrieves geolocation information about IPv4 or IPv6 addresses.

Syntax

geo_info_from_ip_address(IpAddress )

Parameters

Name	Type	Required	Description
IpAddress	`string`	✔️	IPv4 or IPv6 address to retrieve geolocation information about.

Returns

A dynamic object containing the information on IP address whereabouts (if the information is available). The object contains the following fields:

Name	Type	Description
`country`	`string`	Country name
`state`	`string`	State (subdivision) name
`city`	`string`	City name
`latitude`	`real`	Latitude coordinate
`longitude`	`real`	Longitude coordinate

Examples

print ip_location=geo_info_from_ip_address('20.53.203.50')

Output

ip_location
`{"country": "Australia", "state": "New South Wales", "city": "Sydney", "latitude": -33.8715, "longitude": 151.2006}`

print ip_location=geo_info_from_ip_address('2a03:2880:f12c:83:face:b00c::25de')

Output

ip_location
`{"country": "United States", "state": "Florida", "city": "Boca Raton", "latitude": 26.3594, "longitude": -80.0771}`

107 - gettype()

Learn how to use the gettype() function to return a string representing the runtime type of its single argument.

Returns the runtime type of its single argument.

The runtime type may be different than the nominal (static) type for expressions whose nominal type is dynamic; in such cases gettype() can be useful to reveal the type of the actual value (how the value is encoded in memory).

Syntax

gettype(value)

Parameters

Name	Type	Required	Description
value	scalar	✔️	The value for which to find the type.

Returns

A string representing the runtime type of value.

Examples

Expression	Returns
`gettype("a")`	`string`
`gettype(111)`	`long`
`gettype(1==1)`	`bool`
`gettype(now())`	`datetime`
`gettype(1s)`	`timespan`
`gettype(parse_json('1'))`	`int`
`gettype(parse_json(' "abc" '))`	`string`
`gettype(parse_json(' {"abc":1} '))`	`dictionary`
`gettype(parse_json(' [1, 2, 3] '))`	`array`
`gettype(123.45)`	`real`
`gettype(guid(12e8b78d-55b4-46ae-b068-26d7a0080254))`	`guid`
`gettype(parse_json(''))`	`null`

108 - getyear()

Learn how tow use the getyear() function to return the year of the datetime input.

Returns the year part of the datetime argument.

Syntax

getyear(date)

Parameters

Name	Type	Required	Description
date	`datetime`	✔️	The date for which to get the year.

Returns

The year that contains the given date.

Example

print year = getyear(datetime(2015-10-12))

year
2015

109 - gzip_compress_to_base64_string

Learn how to use the gzip_compress_to_base64_string() function to gzip-compress an input and encode it into a base64 string.

Performs gzip compression and encodes the result to base64.

Syntax

gzip_compress_to_base64_string(string)

Parameters

Name	Type	Required	Description
string	`string`	✔️	The value to be compressed and base64 encoded. The function accepts only one argument.

Returns

Returns a string that represents gzip-compressed and base64-encoded original string.
Returns an empty result if compression or encoding failed.

Example

print res = gzip_compress_to_base64_string("1234567890qwertyuiop")

res
H4sIAAAAAAAA/wEUAOv/MTIzNDU2Nzg5MHF3ZXJ0eXVpb3A6m7f2FAAAAA==

110 - gzip_decompress_from_base64_string()

Learn how to use the gzip_decompress_from_base64_string() function to decode an input string from base64 and perform a gzip-decompression.

Decodes the input string from base64 and performs gzip decompression.

Syntax

gzip_decompress_from_base64_string(string)

Parameters

Name	Type	Required	Description
string	`string`	✔️	The value that was compressed with gzip and then base64-encoded. The function accepts only one argument.

Returns

Returns a UTF-8 string that represents the original string.
Returns an empty result if decompression or decoding failed.
- For example, invalid gzip-compressed and base 64-encoded strings will return an empty output.

Examples

Valid input

print res=gzip_decompress_from_base64_string("H4sIAAAAAAAA/wEUAOv/MTIzNDU2Nzg5MHF3ZXJ0eXVpb3A6m7f2FAAAAA==")

res
“1234567890qwertyuiop”

Invalid input

print res=gzip_decompress_from_base64_string("x0x0x0")

res

111 - has_any_ipv4_prefix()

Learn how to use the has_any_ipv4_prefix() function to check if any IPv4 address prefixes appear in the text.

Returns a boolean value indicating whether one of specified IPv4 address prefixes appears in a text.

IP address entrances in a text must be properly delimited with non-alphanumeric characters. For example, properly delimited IP addresses are:

“These requests came from: 192.168.1.1, 10.1.1.115 and 10.1.1.201”
“05:04:54 127.0.0.1 GET /favicon.ico 404”

Performance tips

Syntax

has_any_ipv4_prefix(source , ip_address_prefix [, ip_address_prefix_2, …] )

Parameters

Name	Type	Required	Description
source	`string`	✔️	The value to search.
ip_address_prefix	string or dynamic	✔️	An IP address prefix, or an array of IP address prefixes, for which to search. A valid IP address prefix is either a complete IPv4 address, such as `192.168.1.11`, or its prefix ending with a dot, such as `192.`, `192.168.` or `192.168.1.`.

Returns

true if the one of specified IP address prefixes is a valid IPv4 address prefix, and it was found in source. Otherwise, the function returns false.

Examples

IP addresses as list of strings

print result=has_any_ipv4_prefix('05:04:54 127.0.0.1 GET /favicon.ico 404', '127.0.', '192.168.') // true

result
true

IP addresses as dynamic array

print result=has_any_ipv4_prefix('05:04:54 127.0.0.1 GET /favicon.ico 404', dynamic(["127.0.", "192.168."]))

result
true

Invalid IPv4 prefix

print result=has_any_ipv4_prefix('05:04:54 127.0.0.1 GET /favicon.ico 404', '127.0')

result
false

Improperly deliminated IP address

print result=has_any_ipv4_prefix('05:04:54127.0.0.1 GET /favicon.ico 404', '127.0.', '192.')

result
false

112 - has_any_ipv4()

Learn how to use the has_any_ipv4() function to check if any IPv4 addresses appear in the text.

Returns a value indicating whether one of specified IPv4 addresses appears in a text.

IP address entrances in a text must be properly delimited with non-alphanumeric characters. For example, properly delimited IP addresses are:

“These requests came from: 192.168.1.1, 10.1.1.115 and 10.1.1.201”
“05:04:54 127.0.0.1 GET /favicon.ico 404”

Performance tips

Syntax

has_any_ipv4(source , ip_address [, ip_address_2, …] )

Parameters

Name	Type	Required	Description
source	`string`	✔️	The value to search.
ip_address	string or dynamic	✔️	An IP address, or an array of IP addresses, for which to search.

Returns

true if one of specified IP addresses is a valid IPv4 address, and it was found in source. Otherwise, the function returns false.

Examples

IP addresses as list of strings

print result=has_any_ipv4('05:04:54 127.0.0.1 GET /favicon.ico 404', '127.0.0.1', '127.0.0.2')

result
true

IP addresses as dynamic array

print result=has_any_ipv4('05:04:54 127.0.0.1 GET /favicon.ico 404', dynamic(['127.0.0.1', '127.0.0.2']))

result
true

Invalid IPv4 address

print result=has_any_ipv4('05:04:54 127.0.0.256 GET /favicon.ico 404', dynamic(["127.0.0.256", "192.168.1.1"]))

result
false

Improperly deliminated IP address

print result=has_any_ipv4('05:04:54127.0.0.1 GET /favicon.ico 404', '127.0.0.1', '192.168.1.1') // false, improperly delimited IP address

result
false

113 - has_ipv4_prefix()

Learn how to use the has_ipv4_prefix() function to check if a specified IPv4 address prefix appears in the text.

Returns a value indicating whether a specified IPv4 address prefix appears in a text.

A valid IP address prefix is either a complete IPv4 address (192.168.1.11) or its prefix ending with a dot (192., 192.168. or 192.168.1.).

IP address entrances in a text must be properly delimited with nonalphanumeric characters. For example, properly delimited IP addresses are:

“These requests came from: 192.168.1.1, 10.1.1.115 and 10.1.1.201”
“05:04:54 127.0.0.1 GET /favicon.ico 404”

Syntax

has_ipv4_prefix(source , ip_address_prefix )

Parameters

Name	Type	Required	Description
source	`string`	✔️	The text to search.
ip_address_prefix	`string`	✔️	The IP address prefix for which to search.

Returns

true if the ip_address_prefix is a valid IPv4 address prefix, and it was found in source. Otherwise, the function returns false.

Examples

Properly formatted IPv4 prefix

print result=has_ipv4_prefix('05:04:54 127.0.0.1 GET /favicon.ico 404', '127.0.')

result
true

Invalid IPv4 prefix

print result=has_ipv4_prefix('05:04:54 127.0.0.1 GET /favicon.ico 404', '127.0')

result
false

Invalid IPv4 address

print result=has_ipv4_prefix('05:04:54 127.0.0.256 GET /favicon.ico 404', '127.0.')

result
false

Improperly delimited IPv4 address

print result=has_ipv4_prefix('05:04:54127.0.0.1 GET /favicon.ico 404', '127.0.')

result
false

114 - has_ipv4()

Learn how to use the has_ipv4() function to check if a specified IPv4 address appears in the text.

Returns a value indicating whether a specified IPv4 address appears in a text.

IP address entrances in a text must be properly delimited with non-alphanumeric characters. For example, properly delimited IP addresses are:

“These requests came from: 192.168.1.1, 10.1.1.115 and 10.1.1.201”
“05:04:54 127.0.0.1 GET /favicon.ico 404”

Syntax

has_ipv4(source , ip_address )

Parameters

Name	Type	Required	Description
source	`string`	✔️	The text to search.
ip_address	`string`	✔️	The value containing the IP address for which to search.

Returns

true if the ip_address is a valid IPv4 address, and it was found in source. Otherwise, the function returns false.

Examples

Properly formatted IP address

print result=has_ipv4('05:04:54 127.0.0.1 GET /favicon.ico 404', '127.0.0.1')

Output

result
true

Invalid IP address

print result=has_ipv4('05:04:54 127.0.0.256 GET /favicon.ico 404', '127.0.0.256')

Output

result
false

Improperly delimited IP

print result=has_ipv4('05:04:54127.0.0.1 GET /favicon.ico 404', '127.0.0.1')

Output

result
false

115 - hash_combine()

learn how to use the hash_combine() function to combine hash values of two or more hashes.

Combines hash values of two or more hashes.

Syntax

hash_combine(h1 , h2 [, h3 …])

Parameters

Name	Type	Required	Description
h1, h2, … hN	`long`	✔️	The hash values to combine.

Returns

The combined hash value of the given scalars.

Examples

print value1 = "Hello", value2 = "World"
| extend h1 = hash(value1), h2=hash(value2)
| extend combined = hash_combine(h1, h2)

Output

value1	value2	h1	h2	combined
Hello	World	753694413698530628	1846988464401551951	-1440138333540407281

116 - hash_many()

Learn how to use the hash_many() function to return a combined hash value of multiple values.

Returns a combined hash value of multiple values.

Syntax

hash_many(s1 , s2 [, s3 …])

Parameters

Name	Type	Required	Description
s1, s2, …, sN	scalar	✔️	The values to hash together.

Returns

The hash() function is applied to each of the specified scalars. The resulting hashes are combined into a single hash and returned.

Examples

print value1 = "Hello", value2 = "World"
| extend combined = hash_many(value1, value2)

Output

value1	value2	combined
Hello	World	-1440138333540407281

117 - hash_md5()

Learn how to use the hash_md5() function to return the MD5 hash value of the input.

Returns an MD5 hash value of the input.

Syntax

hash_md5(source)

Parameters

Name	Type	Required	Description
source	scalar	✔️	The value to be hashed.

Returns

The MD5 hash value of the given scalar, encoded as a hex string (a string of characters, each two of which represent a single Hex number between 0 and 255).

Examples

print 
h1=hash_md5("World"),
h2=hash_md5(datetime(2020-01-01))

Output

h1	h2
f5a7924e621e84c9280a9a27e1bcb7f6	786c530672d1f8db31fee25ea8a9390b

The following example uses the hash_md5() function to aggregate StormEvents based on State’s MD5 hash value.

StormEvents
| summarize StormCount = count() by State, StateHash=hash_md5(State)
| top 5 by StormCount

Output

State	StateHash	StormCount
TEXAS	3b00dbe6e07e7485a1c12d36c8e9910a	4701
KANSAS	e1338d0ac8be43846cf9ae967bd02e7f	3166
IOWA	6d4a7c02942f093576149db764d4e2d2	2337
ILLINOIS	8c00d9e0b3fcd55aed5657e42cc40cf1	2022
MISSOURI	2d82f0c963c0763012b2539d469e5008	2016

118 - hash_sha1()

Learn how to use the hash_sha1() function to return a sha1 hash value of the source input.

Returns a sha1 hash value of the source input.

Syntax

hash_sha1(source)

Parameters

Name	Type	Required	Description
source	scalar	✔️	The value to be hashed.

Returns

The sha1 hash value of the given scalar, encoded as a hex string (a string of characters, each two of which represent a single Hex number between 0 and 255).

Examples

print 
    h1=hash_sha1("World"),
    h2=hash_sha1(datetime(2020-01-01))

Output

h1	h2
70c07ec18ef89c5309bbb0937f3a6342411e1fdd	e903e533f4d636b4fc0dcf3cf81e7b7f330de776

The following example uses the hash_sha1() function to aggregate StormEvents based on State’s SHA1 hash value.

StormEvents 
| summarize StormCount = count() by State, StateHash=hash_sha1(State)
| top 5 by StormCount desc

Output

State	StateHash	StormCount
TEXAS	3128d805194d4e6141766cc846778eeacb12e3ea	4701
KANSAS	ea926e17098148921e472b1a760cd5a8117e84d6	3166
IOWA	cacf86ec119cfd5b574bde5b59604774de3273db	2337
ILLINOIS	03740763b16dae9d799097f51623fe635d8c4852	2022
MISSOURI	26d938907240121b54d9e039473dacc96e712f61	2016

119 - hash_sha256()

Learn how to use the hash_sha256() function to return a sha256 hash value of the source input.

Returns a sha256 hash value of the source input.

Syntax

hash_sha256(source)

Parameters

Name	Type	Required	Description
source	scalar	✔️	The value to be hashed.

Returns

The sha256 hash value of the given scalar, encoded as a hex string (a string of characters, each two of which represent a single Hex number between 0 and 255).

Examples

print 
    h1=hash_sha256("World"),
    h2=hash_sha256(datetime(2020-01-01))

Output

h1	h2
78ae647dc5544d227130a0682a51e30bc7777fbb6d8a8f17007463a3ecd1d524	ba666752dc1a20eb750b0eb64e780cc4c968bc9fb8813461c1d7e750f302d71d

The following example uses the hash_sha256() function to aggregate StormEvents based on State’s SHA256 hash value.

StormEvents 
| summarize StormCount = count() by State, StateHash=hash_sha256(State)
| top 5 by StormCount desc

Output

State	StateHash	StormCount
TEXAS	9087f20f23f91b5a77e8406846117049029e6798ebbd0d38aea68da73a00ca37	4701
KANSAS	c80e328393541a3181b258cdb4da4d00587c5045e8cf3bb6c8fdb7016b69cc2e	3166
IOWA	f85893dca466f779410f65cd904fdc4622de49e119ad4e7c7e4a291ceed1820b	2337
ILLINOIS	ae3eeabfd7eba3d9a4ccbfed6a9b8cff269dc43255906476282e0184cf81b7fd	2022
MISSOURI	d15dfc28abc3ee73b7d1f664a35980167ca96f6f90e034db2a6525c0b8ba61b1	2016

120 - hash_xxhash64()

Learn how to use the hash_xxhash64() function to return the xxhash64 value of the input.

Returns an xxhash64 value for the input value.

Syntax

hash_xxhash64(source [, mod])

Parameters

Name	Type	Required	Description
source	scalar	✔️	The value to be hashed.
mod	`int`		A modulo value to be applied to the hash result, so that the output value is between `0` and `mod - 1`. This parameter is useful for limiting the range of possible output values or for compressing the output of the hash function into a smaller range.

Returns

The hash value of source. If mod is specified, the function returns the hash value modulo the value of mod, meaning that the output of the function will be the remainder of the hash value divided by mod. The output will be a value between 0 and mod - 1, inclusive.

Examples

String input

print result=hash_xxhash64("World")

result
1846988464401551951

String input with mod

print result=hash_xxhash64("World", 100)

result
51

Datetime input

print result=hash_xxhash64(datetime("2015-01-01"))

result
1380966698541616202

121 - hash()

Learn how to use the hash() function to return the hash value of the input.

Returns a hash value for the input value.

Syntax

hash(source [, mod])

Parameters

Name	Type	Required	Description
source	scalar	✔️	The value to be hashed.
mod	`int`		A modulo value to be applied to the hash result, so that the output value is between `0` and `mod - 1`. This parameter is useful for limiting the range of possible output values or for compressing the output of the hash function into a smaller range.

Returns

Examples

String input

print result=hash("World")

result
1846988464401551951

String input with mod

print result=hash("World", 100)

result
51

Datetime input

print result=hash(datetime("2015-01-01"))

result
1380966698541616202

Use hash to check data distribution

Use the hash() function for sampling data if the values in one of its columns is uniformly distributed. In the following example, StartTime values are uniformly distributed and the function is used to run a query on 10% of the data.

StormEvents 
| where hash(StartTime, 10) == 0
| summarize StormCount = count(), TypeOfStorms = dcount(EventType) by State 
| top 5 by StormCount desc

122 - hll_merge()

Learn how to use the hll_merge() function toe merge HLL results.

Merges HLL results. This is the scalar version of the aggregate version hll_merge().

Read about the underlying algorithm (HyperLogLog) and estimation accuracy.

Syntax

hll_merge( hll, hll2, [ hll3, … ])

Parameters

Name	Type	Required	Description
hll, hll2, …	`string`	✔️	The column names containing HLL values to merge. The function expects between 2-64 arguments.

Returns

Returns one HLL value. The value is the result of merging the columns hll, hll2, … hllN.

Examples

This example shows the value of the merged columns.

range x from 1 to 10 step 1 
| extend y = x + 10
| summarize hll_x = hll(x), hll_y = hll(y)
| project merged = hll_merge(hll_x, hll_y)
| project dcount_hll(merged)

Output

`dcount_hll_merged`
20

Estimation accuracy

123 - hourofday()

Learn how to use the hourofday() function to return an integer representing the hour of the given date.

Returns the integer number representing the hour number of the given date.

Syntax

hourofday(date)

Parameters

Name	Type	Required	Description
date	`datetime`	✔️	The date for which to return the hour number.

Returns

An integer between 0-23 representing the hour number of the day for date.

Example

print hour=hourofday(datetime(2015-12-14 18:54))

hour
18

124 - iff()

This article describes iff().

Returns the :::no-loc text=“then”::: value when the :::no-loc text=“if”::: condition evaluates to true, otherwise it returns the :::no-loc text=“else”::: value.

Syntax

iff(:::no-loc text=“if”:::, :::no-loc text=“then”:::, :::no-loc text=“else”:::)

Parameters

Name	Type	Required	Description
:::no-loc text=“if”:::	`string`	✔️	An expression that evaluates to a boolean value.
:::no-loc text=“then”:::	scalar	✔️	An expression that returns its value when the :::no-loc text=“if”::: condition evaluates to `true`.
:::no-loc text=“else”:::	scalar	✔️	An expression that returns its value when the :::no-loc text=“if”::: condition evaluates to `false`.

Returns

This function returns the :::no-loc text=“then”::: value when the :::no-loc text=“if”::: condition evaluates to true, otherwise it returns the :::no-loc text=“else”::: value.

Examples

Classify data using iff()

The following query uses the iff() function to categorize storm events as either “Rain event” or “Not rain event” based on their event type, and then projects the state, event ID, event type, and the new rain category.

StormEvents
| extend Rain = iff((EventType in ("Heavy Rain", "Flash Flood", "Flood")), "Rain event", "Not rain event")
| project State, EventId, EventType, Rain

Output

The following table shows only the first five rows.

State	EventId	EventType	Rain
ATLANTIC SOUTH	61032	Waterspout	Not rain event
FLORIDA	60904	Heavy Rain	Rain event
FLORIDA	60913	Tornado	Not rain event
GEORGIA	64588	Thunderstorm Wind	Not rain event
MISSISSIPPI	68796	Thunderstorm Wind	Not rain event
…	…	…	…

Combine iff() with other functions

The following query calculates the total damage from crops and property, categorizes the severity of storm events based on total damage, direct injuries, and direct deaths, and then summarizes the total number of events and the number of events by severity.

StormEvents
| extend TotalDamage = DamageCrops + DamageProperty
| extend Severity = iff(TotalDamage > 1000000 or InjuriesDirect > 10 or DeathsDirect > 0, "High", iff(TotalDamage < 50000 and InjuriesDirect == 0 and DeathsDirect == 0, "Low", "Moderate"))
| summarize TotalEvents = count(), SeverityEvents = count() by Severity

Output

Severity	TotalEvents
Low	54805
High	977
Moderate	3284

125 - indexof_regex()

Learn how to use the indexof_regex() function to return the zero-based index position of a regex input.

Returns the zero-based index of the first occurrence of a specified lookup regular expression within the input string.

See indexof().

Syntax

indexof_regex(string,match[,start[,length[,occurrence]]])

Parameters

Name	Type	Required	Description
string	`string`	✔️	The source string to search.
match	`string`	✔️	The regular expression lookup string.
start	`int`		The search start position. A negative value will offset the starting search position from the end of the string by this many steps: `abs(`start`)`.
length	`int`		The number of character positions to examine. A value of -1 means unlimited length.
occurrence	`int`		The number of the occurrence. The default is 1.

Returns

The zero-based index position of match.

Returns -1 if match isn’t found in string.
Returns null if:
- start is less than 0.
- occurrence is less than 0.
- length is less than -1.

Examples

print
    idx1 = indexof_regex("abcabc", @"a.c"), // lookup found in input string
    idx2 = indexof_regex("abcabcdefg", @"a.c", 0, 9, 2),  // lookup found in input string
    idx3 = indexof_regex("abcabc", @"a.c", 1, -1, 2),  // there's no second occurrence in the search range
    idx4 = indexof_regex("ababaa", @"a.a", 0, -1, 2), // Matches don't overlap so full lookup can't be found 
    idx5 = indexof_regex("abcabc", @"a|ab", -1)  // invalid start argument

Output

idx1	idx2	idx3	idx4	idx5
0	3	-1	-1

126 - indexof()

Learn how to use the indexof() function to report the zero-based index position of the input string.

Reports the zero-based index of the first occurrence of a specified string within the input string.

For more information, see indexof_regex().

Syntax

indexof(string,match[,start[,length[,occurrence]]])

Parameters

Name	Type	Required	Description
string	`string`	✔️	The source string to search.
match	`string`	✔️	The string for which to search.
start	`int`		The search start position. A negative value will offset the starting search position from the end of the string by this many steps: `abs(`start`)`.
length	`int`		The number of character positions to examine. A value of -1 means unlimited length.
occurrence	`int`		The number of the occurrence. The default is 1.

Returns

The zero-based index position of match.

Returns -1 if match isn’t found in string.
Returns null if:
- start is less than 0.
- occurrence is less than 0.
- length is less than -1.

Examples

print
 idx1 = indexof("abcdefg","cde")    // lookup found in input string
 , idx2 = indexof("abcdefg","cde",1,4) // lookup found in researched range 
 , idx3 = indexof("abcdefg","cde",1,2) // search starts from index 1, but stops after 2 chars, so full lookup can't be found
 , idx4 = indexof("abcdefg","cde",3,4) // search starts after occurrence of lookup
 , idx5 = indexof("abcdefg","cde",-5)  // negative start index
 , idx6 = indexof(1234567,5,1,4)       // two first parameters were forcibly casted to strings "12345" and "5"
 , idx7 = indexof("abcdefg","cde",2,-1)  // lookup found in input string
 , idx8 = indexof("abcdefgabcdefg", "cde", 1, 10, 2)   // lookup found in input range
 , idx9 = indexof("abcdefgabcdefg", "cde", 1, -1, 3)   // the third occurrence of lookup is not in researched range

Output

idx1	idx2	idx3	idx4	idx5	idx6	idx7	idx8	idx9
2	2	-1	-1	2	4	2	9	-1

127 - ingestion_time()

Learn how to use the ingestion_time() function to return the approximate time of the data’s ingestion.

Returns the approximate datetime in UTC format indicating when the current record was ingested.

This function must be used in the context of a table or a materialized view. Otherwise, this function produces null values.

If IngestionTime policy was not enabled when the data was ingested, the function returns null values.

Retrieves the datetime when the record was ingested and ready for query.

Syntax

ingestion_time()

Returns

A datetime value specifying the approximate time of ingestion into a table.

Example

T
| extend ingestionTime = ingestion_time() | top 10 by ingestionTime

128 - ipv4_compare()

Learn how to use the ipv4_compare() function to compare two IPv4 strings.

Compares two IPv4 strings. The two IPv4 strings are parsed and compared while accounting for the combined IP-prefix mask calculated from argument prefixes, and the optional PrefixMask argument.

Syntax

ipv4_compare(Expr1,Expr2[ ,PrefixMask])

Parameters

Name	Type	Required	Description
Expr1, Expr2	`string`	✔️	A string expression representing an IPv4 address. IPv4 strings can be masked using IP-prefix notation.
PrefixMask	`int`		An integer from 0 to 32 representing the number of most-significant bits that are taken into account.

Returns

0: If the long representation of the first IPv4 string argument is equal to the second IPv4 string argument
1: If the long representation of the first IPv4 string argument is greater than the second IPv4 string argument
-1: If the long representation of the first IPv4 string argument is less than the second IPv4 string argument
null: If conversion for one of the two IPv4 strings wasn’t successful.

Examples: IPv4 comparison equality cases

Compare IPs using the IP-prefix notation specified inside the IPv4 strings

datatable(ip1_string:string, ip2_string:string)
[
 '192.168.1.0',    '192.168.1.0',       // Equal IPs
 '192.168.1.1/24', '192.168.1.255',     // 24 bit IP-prefix is used for comparison
 '192.168.1.1',    '192.168.1.255/24',  // 24 bit IP-prefix is used for comparison
 '192.168.1.1/30', '192.168.1.255/24',  // 24 bit IP-prefix is used for comparison
]
| extend result = ipv4_compare(ip1_string, ip2_string)

Output

ip1_string	ip2_string	result
192.168.1.0	192.168.1.0	0
192.168.1.1/24	192.168.1.255	0
192.168.1.1	192.168.1.255/24	0
192.168.1.1/30	192.168.1.255/24	0

Compare IPs using IP-prefix notation specified inside the IPv4 strings and as additional argument of the `ipv4_compare()` function

datatable(ip1_string:string, ip2_string:string, prefix:long)
[
 '192.168.1.1',    '192.168.1.0',   31, // 31 bit IP-prefix is used for comparison
 '192.168.1.1/24', '192.168.1.255', 31, // 24 bit IP-prefix is used for comparison
 '192.168.1.1',    '192.168.1.255', 24, // 24 bit IP-prefix is used for comparison
]
| extend result = ipv4_compare(ip1_string, ip2_string, prefix)

Output

ip1_string	ip2_string	prefix
192.168.1.1	192.168.1.0	31
192.168.1.1/24	192.168.1.255	31
192.168.1.1	192.168.1.255	24

Overview of IPv4/IPv6 functions
Overview of IPv4 text match functions

129 - ipv4_is_in_any_range()

Learn how to use the ipv4_is_in_any_range() function to check if the IPv4 string address is in any of the IPv4 address ranges.

Checks whether IPv4 string address is in any of the specified IPv4 address ranges.

Performance tips

Syntax

ipv4_is_in_any_range(Ipv4Address , Ipv4Range [ , Ipv4Range …] )

ipv4_is_in_any_range(Ipv4Address , Ipv4Ranges )

Parameters

Name	Type	Required	Description
Ipv4Address	`string`	✔️	An expression representing an IPv4 address.
Ipv4Range	`string`	✔️	An IPv4 range or list of IPv4 ranges written with IP-prefix notation.
Ipv4Ranges	`dynamic`	✔️	A dynamic array containing IPv4 ranges written with IP-prefix notation.

Returns

true: If the IPv4 address is in the range of any of the specified IPv4 networks.
false: Otherwise.
null: If conversion for one of the two IPv4 strings wasn’t successful.

Examples

Syntax using list of strings

print Result=ipv4_is_in_any_range('192.168.1.6', '192.168.1.1/24', '10.0.0.1/8', '127.1.0.1/16')

Output

Result
true

Syntax using dynamic array

print Result=ipv4_is_in_any_range("127.0.0.1", dynamic(["127.0.0.1", "192.168.1.1"]))

Output

Result
true

Extend table with IPv4 range check

let LocalNetworks=dynamic([
    "192.168.1.1/16",
    "127.0.0.1/8",
    "10.0.0.1/8"
]);
let IPs=datatable(IP:string) [
    "10.1.2.3",
    "192.168.1.5",
    "123.1.11.21",
    "1.1.1.1"
];
IPs
| extend IsLocal=ipv4_is_in_any_range(IP, LocalNetworks)

Output

IP	IsLocal
10.1.2.3	true
192.168.1.5	true
123.1.11.21	false
1.1.1.1	false

Overview of IPv4/IPv6 functions
Overview of IPv4 text match functions

130 - ipv4_is_in_range()

Learn how to use the ipv4_is_in_range() function to check if the IPv4 string address is in the IPv4-prefix notation range.

Checks if IPv4 string address is in IPv4-prefix notation range.

Syntax

ipv4_is_in_range(Ipv4Address,Ipv4Range)

Parameters

Name	Type	Required	Description
Ipv4Address	`string`	✔️	An expression representing an IPv4 address.
Ipv4Range	`string`	✔️	An IPv4 range or list of IPv4 ranges written with IP-prefix notation.

Returns

true: If the long representation of the first IPv4 string argument is in range of the second IPv4 string argument.
false: Otherwise.
null: If conversion for one of the two IPv4 strings wasn’t successful.

Example

datatable(ip_address:string, ip_range:string)
[
 '192.168.1.1',    '192.168.1.1',       // Equal IPs
 '192.168.1.1',    '192.168.1.255/24',  // 24 bit IP-prefix is used for comparison
]
| extend result = ipv4_is_in_range(ip_address, ip_range)

Output

ip_address	ip_range	result
192.168.1.1	192.168.1.1	true
192.168.1.1	192.168.1.255/24	true

Overview of IPv4/IPv6 functions
Overview of IPv4 text match functions

131 - ipv4_is_match()

Learn how to use the ipv4_is_match() function to match two IPv4 strings.

Matches two IPv4 strings. The two IPv4 strings are parsed and compared while accounting for the combined IP-prefix mask calculated from argument prefixes, and the optional prefix argument.

Syntax

ipv4_is_match(ip1,ip2[ ,prefix])

Parameters

Name	Type	Required	Description
ip1, ip2	`string`	✔️	An expression representing an IPv4 address. IPv4 strings can be masked using IP-prefix notation.
prefix	`int`		An integer from 0 to 32 representing the number of most-significant bits that are taken into account.

Returns

true: If the long representation of the first IPv4 string argument is equal to the second IPv4 string argument.
false: Otherwise.
null: If conversion for one of the two IPv4 strings wasn’t successful.

Examples

Simple example

print ipv4_is_match('192.168.1.1/24', '192.168.1.255')

Output

print_0
true

IPv4 comparison equality - IP-prefix notation specified inside the IPv4 strings

datatable(ip1_string:string, ip2_string:string)
[
 '192.168.1.0',    '192.168.1.0',       // Equal IPs
 '192.168.1.1/24', '192.168.1.255',     // 24 bit IP-prefix is used for comparison
 '192.168.1.1',    '192.168.1.255/24',  // 24 bit IP-prefix is used for comparison
 '192.168.1.1/30', '192.168.1.255/24',  // 24 bit IP-prefix is used for comparison
]
| extend result = ipv4_is_match(ip1_string, ip2_string)

Output

ip1_string	ip2_string	result
192.168.1.0	192.168.1.0	true
192.168.1.1/24	192.168.1.255	true
192.168.1.1	192.168.1.255/24	true
192.168.1.1/30	192.168.1.255/24	true

IPv4 comparison equality - IP-prefix notation specified inside the IPv4 strings and an additional argument of the `ipv4_is_match()` function

datatable(ip1_string:string, ip2_string:string, prefix:long)
[
 '192.168.1.1',    '192.168.1.0',   31, // 31 bit IP-prefix is used for comparison
 '192.168.1.1/24', '192.168.1.255', 31, // 24 bit IP-prefix is used for comparison
 '192.168.1.1',    '192.168.1.255', 24, // 24 bit IP-prefix is used for comparison
]
| extend result = ipv4_is_match(ip1_string, ip2_string, prefix)

Output

ip1_string	ip2_string	prefix	result
192.168.1.1	192.168.1.0	31	true
192.168.1.1/24	192.168.1.255	31	true
192.168.1.1	192.168.1.255	24	true

Overview of IPv4/IPv6 functions
Overview of IPv4 text match functions

132 - ipv4_is_private()

Learn how to use the ipv4_is_private() function to check if the IPv4 string address belongs to a set of private network IPs.

Checks if the IPv4 string address belongs to a set of private network IPs.

Private network addresses were originally defined to help delay IPv4 address exhaustion. IP packets originating from or addressed to a private IP address can’t be routed through the public internet.

Private IPv4 addresses

The Internet Engineering Task Force (IETF) has directed the Internet Assigned Numbers Authority (IANA) to reserve the following IPv4 address ranges for private networks:

IP address range	Number of addresses	Largest CIDR block (subnet mask)
10.0.0.0 – 10.255.255.255	16777216	10.0.0.0/8 (255.0.0.0)
172.16.0.0 – 172.31.255.255	1048576	172.16.0.0/12 (255.240.0.0)
192.168.0.0 – 192.168.255.255	65536	192.168.0.0/16 (255.255.0.0)

ipv4_is_private('192.168.1.1/24') == true
ipv4_is_private('10.1.2.3/24') == true
ipv4_is_private('202.1.2.3') == false
ipv4_is_private("127.0.0.1") == false

Syntax

ipv4_is_private(ip)

Parameters

Name	Type	Required	Description
ip	`string`	✔️	An expression representing an IPv4 address. IPv4 strings can be masked using IP-prefix notation.

Returns

true: If the IPv4 address belongs to any of the private network ranges.
false: Otherwise.
null: If parsing of the input as IPv4 address string wasn’t successful.

Example: Check if IPv4 belongs to a private network

datatable(ip_string:string)
[
 '10.1.2.3',
 '192.168.1.1/24',
 '127.0.0.1',
]
| extend result = ipv4_is_private(ip_string)

Output

ip_string	result
10.1.2.3	true
192.168.1.1/24	true
127.0.0.1	false

Overview of IPv4/IPv6 functions
Overview of IPv4 text match functions

133 - ipv4_netmask_suffix()

Learn how to use the ipv4_netmask_suffix() function to return the value of the IPv4 netmask suffix from an IPv4 string address.

Returns the value of the IPv4 netmask suffix from an IPv4 string address.

Syntax

ipv4_netmask_suffix(ip)

Parameters

Name	Type	Required	Description
ip	`string`	✔️	An expression representing an IPv4 address. IPv4 strings can be masked using IP-prefix notation.

Returns

The value of the netmask suffix the IPv4 address. If the suffix isn’t present in the input, a value of 32 (full netmask suffix) is returned.
null: If parsing the input as an IPv4 address string wasn’t successful.

Example: Resolve IPv4 mask suffix

datatable(ip_string:string)
[
 '10.1.2.3',
 '192.168.1.1/24',
 '127.0.0.1/16',
]
| extend cidr_suffix = ipv4_netmask_suffix(ip_string)

Output

ip_string	cidr_suffix
10.1.2.3	32
192.168.1.1/24	24
127.0.0.1/16	16

Overview of IPv4/IPv6 functions
Overview of IPv4 text match functions

134 - ipv4_range_to_cidr_list()

Learn how to use the ipv4_range_to_cidr_list() function to convert IPv4 address range to a list of CIDR ranges.

Converts a IPv4 address range denoted by starting and ending IPv4 addresses to a list of IPv4 ranges in CIDR notation.

Syntax

ipv4_range_to_cidr_list(StartAddress , EndAddress )

Parameters

Name	Type	Required	Description
StartAddress	`string`	✔️	An expression representing a starting IPv4 address of the range.
EndAddress	`string`	✔️	An expression representing an ending IPv4 address of the range.

Returns

A dynamic array object containing the list of ranges in CIDR notation.

Examples

print start_IP="1.1.128.0", end_IP="1.1.140.255"
 | project ipv4_range_list = ipv4_range_to_cidr_list(start_IP, end_IP)

Output

ipv4_range_list
`["1.1.128.0/21", "1.1.136.0/22","1.1.140.0/24"]`

Overview of IPv4/IPv6 functions
Overview of IPv4 text match functions

135 - ipv6_compare()

Learn how to use the ipv6_compare() function to compare two IPv6 or IPv4 network address strings.

Compares two IPv6 or IPv4 network address strings. The two IPv6 strings are parsed and compared while accounting for the combined IP-prefix mask calculated from argument prefixes, and the optional prefix argument.

Syntax

ipv6_compare(ip1,ip2[ ,prefix])

Parameters

Name	Type	Required	Description
ip1, ip2	`string`	✔️	An expression representing an IPv6 or IPv4 address. IPv6 and IPv4 strings can be masked using IP-prefix notation.
prefix	`int`		An integer from 0 to 128 representing the number of most significant bits that are taken into account.

Returns

0: If the long representation of the first IPv6 string argument is equal to the second IPv6 string argument.
1: If the long representation of the first IPv6 string argument is greater than the second IPv6 string argument.
-1: If the long representation of the first IPv6 string argument is less than the second IPv6 string argument.
null: If conversion for one of the two IPv6 strings wasn’t successful.

Examples: IPv6/IPv4 comparison equality cases

Compare IPs using the IP-prefix notation specified inside the IPv6/IPv4 strings

datatable(ip1_string:string, ip2_string:string)
[
 // IPv4 are compared as IPv6 addresses
 '192.168.1.1',    '192.168.1.1',       // Equal IPs
 '192.168.1.1/24', '192.168.1.255',     // 24 bit IP4-prefix is used for comparison
 '192.168.1.1',    '192.168.1.255/24',  // 24 bit IP4-prefix is used for comparison
 '192.168.1.1/30', '192.168.1.255/24',  // 24 bit IP4-prefix is used for comparison
  // IPv6 cases
 'fe80::85d:e82c:9446:7994', 'fe80::85d:e82c:9446:7994',         // Equal IPs
 'fe80::85d:e82c:9446:7994/120', 'fe80::85d:e82c:9446:7998',     // 120 bit IP6-prefix is used for comparison
 'fe80::85d:e82c:9446:7994', 'fe80::85d:e82c:9446:7998/120',     // 120 bit IP6-prefix is used for comparison
 'fe80::85d:e82c:9446:7994/120', 'fe80::85d:e82c:9446:7998/120', // 120 bit IP6-prefix is used for comparison
 // Mixed case of IPv4 and IPv6
 '192.168.1.1',      '::ffff:c0a8:0101', // Equal IPs
 '192.168.1.1/24',   '::ffff:c0a8:01ff', // 24 bit IP-prefix is used for comparison
 '::ffff:c0a8:0101', '192.168.1.255/24', // 24 bit IP-prefix is used for comparison
 '::192.168.1.1/30', '192.168.1.255/24', // 24 bit IP-prefix is used for comparison
]
| extend result = ipv6_compare(ip1_string, ip2_string)

Output

ip1_string	ip2_string	result
192.168.1.1	192.168.1.1	0
192.168.1.1/24	192.168.1.255	0
192.168.1.1	192.168.1.255/24	0
192.168.1.1/30	192.168.1.255/24	0
fe80::85d:e82c:9446:7994	fe80::85d:e82c:9446:7994	0
fe80::85d:e82c:9446:7994/120	fe80::85d:e82c:9446:7998	0
fe80::85d:e82c:9446:7994	fe80::85d:e82c:9446:7998/120	0
fe80::85d:e82c:9446:7994/120	fe80::85d:e82c:9446:7998/120	0
192.168.1.1	::ffff:c0a8:0101	0
192.168.1.1/24	::ffff:c0a8:01ff	0
::ffff:c0a8:0101	192.168.1.255/24	0
::192.168.1.1/30	192.168.1.255/24	0

Compare IPs using IP-prefix notation specified inside the IPv6/IPv4 strings and as additional argument of the `ipv6_compare()` function

datatable(ip1_string:string, ip2_string:string, prefix:long)
[
 // IPv4 are compared as IPv6 addresses 
 '192.168.1.1',    '192.168.1.0',   31, // 31 bit IP4-prefix is used for comparison
 '192.168.1.1/24', '192.168.1.255', 31, // 24 bit IP4-prefix is used for comparison
 '192.168.1.1',    '192.168.1.255', 24, // 24 bit IP4-prefix is used for comparison
   // IPv6 cases
 'fe80::85d:e82c:9446:7994', 'fe80::85d:e82c:9446:7995',     127, // 127 bit IP6-prefix is used for comparison
 'fe80::85d:e82c:9446:7994/127', 'fe80::85d:e82c:9446:7998', 120, // 120 bit IP6-prefix is used for comparison
 'fe80::85d:e82c:9446:7994/120', 'fe80::85d:e82c:9446:7998', 127, // 120 bit IP6-prefix is used for comparison
 // Mixed case of IPv4 and IPv6
 '192.168.1.1/24',   '::ffff:c0a8:01ff', 127, // 127 bit IP6-prefix is used for comparison
 '::ffff:c0a8:0101', '192.168.1.255',    120, // 120 bit IP6-prefix is used for comparison
 '::192.168.1.1/30', '192.168.1.255/24', 127, // 120 bit IP6-prefix is used for comparison
]
| extend result = ipv6_compare(ip1_string, ip2_string, prefix)

Output

ip1_string	ip2_string	prefix
192.168.1.1	192.168.1.0	31
192.168.1.1/24	192.168.1.255	31
192.168.1.1	192.168.1.255	24
fe80::85d:e82c:9446:7994	fe80::85d:e82c:9446:7995	127
fe80::85d:e82c:9446:7994/127	fe80::85d:e82c:9446:7998	120
fe80::85d:e82c:9446:7994/120	fe80::85d:e82c:9446:7998	127
192.168.1.1/24	::ffff:c0a8:01ff	127
::ffff:c0a8:0101	192.168.1.255	120
::192.168.1.1/30	192.168.1.255/24	127

Overview of IPv4/IPv6 functions

136 - ipv6_is_in_any_range()

Learn how to use the ipv6_is_in_any_range function to check if an IPv6 string address is in any of the IPv6 address ranges.

Checks whether an IPv6 string address is in any of the specified IPv6 address ranges.

Performance tips

Syntax

ipv6_is_in_any_range(Ipv6Address , Ipv6Range [ , Ipv6Range …] )

ipv6_is_in_any_range(Ipv6Address , Ipv6Ranges )

Parameters

Name	Type	Required	Description
Ipv6Address	`string`	✔️	An expression representing an IPv6 address.
Ipv6Range	`string`	✔️	An expression representing an IPv6 range using IP-prefix notation.
Ipv6Ranges	`dynamic`	✔️	An array containing IPv6 ranges using IP-prefix notation.

Returns

true: If the IPv6 address is in the range of any of the specified IPv6 networks.
false: Otherwise.
null: If conversion for one of the two IPv6 strings wasn’t successful.

Example

let LocalNetworks=dynamic([
    "a5e:f127:8a9d:146d:e102:b5d3:c755:f6cd/112",
    "0:0:0:0:0:ffff:c0a8:ac/60"
]);
let IPs=datatable(IP:string) [
    "a5e:f127:8a9d:146d:e102:b5d3:c755:abcd",
    "a5e:f127:8a9d:146d:e102:b5d3:c755:abce",
    "a5e:f127:8a9d:146d:e102:b5d3:c755:abcf",
    "a5e:f127:8a9d:146d:e102:b5d3:c756:abd1",
];
IPs
| extend IsLocal=ipv6_is_in_any_range(IP, LocalNetworks)

Output

IP	IsLocal
a5e:f127:8a9d:146d:e102:b5d3:c755:abcd	True
a5e:f127:8a9d:146d:e102:b5d3:c755:abce	True
a5e:f127:8a9d:146d:e102:b5d3:c755:abcf	True
a5e:f127:8a9d:146d:e102:b5d3:c756:abd1	False

Overview of IPv4/IPv6 functions

137 - ipv6_is_in_range()

Learn how to use the ipv6_is_in_range() function to check if an IPv6 string address is in the Ipv6-prefix notation range.

Checks if an IPv6 string address is in the IPv6-prefix notation range.

Syntax

ipv6_is_in_range(Ipv6Address,Ipv6Range)

Parameters

Name	Type	Required	Description
Ipv6Address	`string`	✔️	An expression representing an IPv6 address.
Ipv6Range	`string`	✔️	An expression representing an IPv6 range using IP-prefix notation.

Returns

true: If the long representation of the first IPv6 string argument is in range of the second IPv6 string argument.
false: Otherwise.
null: If conversion for one of the two IPv6 strings wasn’t successful.

Example

datatable(ip_address:string, ip_range:string)
[
 'a5e:f127:8a9d:146d:e102:b5d3:c755:abcd',    'a5e:f127:8a9d:146d:e102:b5d3:c755:0000/112',
 'a5e:f127:8a9d:146d:e102:b5d3:c755:abcd',    'a5e:f127:8a9d:146d:e102:b5d3:c755:abcd',
 'a5e:f127:8a9d:146d:e102:b5d3:c755:abcd',    '0:0:0:0:0:ffff:c0a8:ac/60',
]
| extend result = ipv6_is_in_range(ip_address, ip_range)

Output

ip_address	ip_range	result
a5e:f127:8a9d:146d:e102:b5d3:c755:abcd	a5e:f127:8a9d:146d:e102:b5d3:c755:0000/112	True
a5e:f127:8a9d:146d:e102:b5d3:c755:abcd	a5e:f127:8a9d:146d:e102:b5d3:c755:abcd	True
a5e:f127:8a9d:146d:e102:b5d3:c755:abcd	0:0:0:0:0:ffff:c0a8:ac/60	False

Overview of IPv4/IPv6 functions

138 - ipv6_is_match()

Learn how to use the ipv6_is_match() function to match two IPv6 or IPv4 network address strings.

Matches two IPv6 or IPv4 network address strings. The two IPv6/IPv4 strings are parsed and compared while accounting for the combined IP-prefix mask calculated from argument prefixes, and the optional prefix argument.

Syntax

ipv6_is_match(ip1,ip2[ ,prefix])

Parameters

Name	Type	Required	Description
ip1, ip2	`string`	✔️	An expression representing an IPv6 or IPv4 address. IPv6 and IPv4 strings can be masked using IP-prefix notation.
prefix	`int`		An integer from 0 to 128 representing the number of most-significant bits that are taken into account.

Returns

true: If the long representation of the first IPv6/IPv4 string argument is equal to the second IPv6/IPv4 string argument.
false: Otherwise.
null: If conversion for one of the two IPv6/IPv4 strings wasn’t successful.

Examples

IPv6/IPv4 comparison equality case - IP-prefix notation specified inside the IPv6/IPv4 strings

datatable(ip1_string:string, ip2_string:string)
[
 // IPv4 are compared as IPv6 addresses
 '192.168.1.1',    '192.168.1.1',       // Equal IPs
 '192.168.1.1/24', '192.168.1.255',     // 24 bit IP4-prefix is used for comparison
 '192.168.1.1',    '192.168.1.255/24',  // 24 bit IP4-prefix is used for comparison
 '192.168.1.1/30', '192.168.1.255/24',  // 24 bit IP4-prefix is used for comparison
  // IPv6 cases
 'fe80::85d:e82c:9446:7994', 'fe80::85d:e82c:9446:7994',         // Equal IPs
 'fe80::85d:e82c:9446:7994/120', 'fe80::85d:e82c:9446:7998',     // 120 bit IP6-prefix is used for comparison
 'fe80::85d:e82c:9446:7994', 'fe80::85d:e82c:9446:7998/120',     // 120 bit IP6-prefix is used for comparison
 'fe80::85d:e82c:9446:7994/120', 'fe80::85d:e82c:9446:7998/120', // 120 bit IP6-prefix is used for comparison
 // Mixed case of IPv4 and IPv6
 '192.168.1.1',      '::ffff:c0a8:0101', // Equal IPs
 '192.168.1.1/24',   '::ffff:c0a8:01ff', // 24 bit IP-prefix is used for comparison
 '::ffff:c0a8:0101', '192.168.1.255/24', // 24 bit IP-prefix is used for comparison
 '::192.168.1.1/30', '192.168.1.255/24', // 24 bit IP-prefix is used for comparison
]
| extend result = ipv6_is_match(ip1_string, ip2_string)

Output

ip1_string	ip2_string	result
192.168.1.1	192.168.1.1	1
192.168.1.1/24	192.168.1.255	1
192.168.1.1	192.168.1.255/24	1
192.168.1.1/30	192.168.1.255/24	1
fe80::85d:e82c:9446:7994	fe80::85d:e82c:9446:7994	1
fe80::85d:e82c:9446:7994/120	fe80::85d:e82c:9446:7998	1
fe80::85d:e82c:9446:7994	fe80::85d:e82c:9446:7998/120	1
fe80::85d:e82c:9446:7994/120	fe80::85d:e82c:9446:7998/120	1
192.168.1.1	::ffff:c0a8:0101	1
192.168.1.1/24	::ffff:c0a8:01ff	1
::ffff:c0a8:0101	192.168.1.255/24	1
::192.168.1.1/30	192.168.1.255/24	1

IPv6/IPv4 comparison equality case- IP-prefix notation specified inside the IPv6/IPv4 strings and as additional argument of the `ipv6_is_match()` function

datatable(ip1_string:string, ip2_string:string, prefix:long)
[
 // IPv4 are compared as IPv6 addresses 
 '192.168.1.1',    '192.168.1.0',   31, // 31 bit IP4-prefix is used for comparison
 '192.168.1.1/24', '192.168.1.255', 31, // 24 bit IP4-prefix is used for comparison
 '192.168.1.1',    '192.168.1.255', 24, // 24 bit IP4-prefix is used for comparison
   // IPv6 cases
 'fe80::85d:e82c:9446:7994', 'fe80::85d:e82c:9446:7995',     127, // 127 bit IP6-prefix is used for comparison
 'fe80::85d:e82c:9446:7994/127', 'fe80::85d:e82c:9446:7998', 120, // 120 bit IP6-prefix is used for comparison
 'fe80::85d:e82c:9446:7994/120', 'fe80::85d:e82c:9446:7998', 127, // 120 bit IP6-prefix is used for comparison
 // Mixed case of IPv4 and IPv6
 '192.168.1.1/24',   '::ffff:c0a8:01ff', 127, // 127 bit IP6-prefix is used for comparison
 '::ffff:c0a8:0101', '192.168.1.255',    120, // 120 bit IP6-prefix is used for comparison
 '::192.168.1.1/30', '192.168.1.255/24', 127, // 120 bit IP6-prefix is used for comparison
]
| extend result = ipv6_is_match(ip1_string, ip2_string, prefix)

Output

ip1_string	ip2_string	prefix	result
192.168.1.1	192.168.1.0	31	1
192.168.1.1/24	192.168.1.255	31	1
192.168.1.1	192.168.1.255	24	1
fe80::85d:e82c:9446:7994	fe80::85d:e82c:9446:7995	127	1
fe80::85d:e82c:9446:7994/127	fe80::85d:e82c:9446:7998	120	1
fe80::85d:e82c:9446:7994/120	fe80::85d:e82c:9446:7998	127	1
192.168.1.1/24	::ffff:c0a8:01ff	127	1
::ffff:c0a8:0101	192.168.1.255	120	1
::192.168.1.1/30	192.168.1.255/24	127	1

Overview of IPv4/IPv6 functions

139 - isascii()

Learn how to use the isascii() to check if the argument is a valid ascii string.

Returns true if the argument is a valid ASCII string.

Syntax

isascii(value)

Parameters

Name	Type	Required	Description
value	`string`	✔️	The value to check if a valid ASCII string.

Returns

A boolean value indicating whether value is a valid ASCII string.

Example

print result=isascii("some string")

Output

result
true

140 - isempty()

Learn how to use the isempty() function to check if the argument is an empty string.

Returns true if the argument is an empty string or is null.

Syntax

isempty(value)

Parameters

Name	Type	Required	Description
value	`string`	✔️	The value to check if empty or null.

Returns

A boolean value indicating whether value is an empty string or is null.

Example

x	isempty(x)
""	true
“x”	false
parsejson("")	true
parsejson("[]")	false
parsejson("{}")	false

141 - isfinite()

Learn how to use the isfinite() function to check if the input is a finite value.

Returns whether the input is a finite value, meaning it’s not infinite or NaN.

Syntax

isfinite(number)

Parameters

Name	Type	Required	Description
number	`real`	✔️	The value to check if finite.

Returns

true if x is finite and false otherwise.

Example

range x from -1 to 1 step 1
| extend y = 0.0
| extend div = 1.0*x/y
| extend isfinite=isfinite(div)

Output

x	y	div	isfinite
-1	0	-∞	0
0	0	NaN	0
1	0	∞	0

To check if a value is null, see isnull().
To check if a value is infinite, see isinf().
To check if a value is NaN (Not-a-Number), see isnan().

142 - isinf()

Learn how to use the isinf() function to check if the input is an infinite value.

Returns whether the input is an infinite (positive or negative) value.

Syntax

isinf(number)

Parameters

Name	Type	Required	Description
number	`real`	✔️	The value to check if infinite.

Returns

true if x is a positive or negative infinite and false otherwise.

Example

range x from -1 to 1 step 1
| extend y = 0.0
| extend div = 1.0*x/y
| extend isinf=isinf(div)

Output

x	div	isinf
-1	-∞	true
0	NaN	false
1	∞	true

To check if a value is null, see isnull().
To check if a value is finite, see isfinite().
To check if a value is NaN (Not-a-Number), see isnan().

143 - isnan()

Learn how to use the isnan() function to check if the input is a not-a-number (NaN) value.

Returns whether the input is a Not-a-Number (NaN) value.

Syntax

isnan(number)

Parameters

Name	Type	Required	Description
number	scalar	✔️	The value to check if NaN.

Returns

true if x is NaN and false otherwise.

Example

range x from -1 to 1 step 1
| extend y = (-1*x) 
| extend div = 1.0*x/y
| extend isnan=isnan(div)

Output

x	y	div	isnan
-1	1	-1	false
0	0	NaN	true
1	-1	-1	false

To check if a value is null, see isnull().
To check if a value is finite, see isfinite().
To check if a value is infinite, see isinf().

144 - isnotempty()

Learn how to use the isnotempty() function to check if the argument isn’t an empty string.

Returns true if the argument isn’t an empty string, and it isn’t null.

Syntax

isnotempty(value)

Parameters

Name	Type	Required	Description
value	scalar	✔️	The value to check if not empty or null.

Returns

true if value isn’t null and false otherwise.

Example

Find the storm events for which there’s a begin location.

StormEvents
| where isnotempty(BeginLat) and isnotempty(BeginLon)

145 - isnotnull()

Learn how to use the isnotnull() function to check if the argument isn’t null.

Returns true if the argument isn’t null.

Syntax

isnotnull(value)

Parameters

Name	Type	Required	Description
value	scalar	✔️	The value to check if not null.

Returns

true if value isn’t null and false otherwise.

Example

Find the storm events for which there’s a begin location.

StormEvents
| where isnotnull(BeginLat) and isnotnull(BeginLon)

146 - isnull()

Learn how to use the isnull() function to check if the argument value is null.

Evaluates an expression and returns a Boolean result indicating whether the value is null.

Syntax

isnull(Expr)

Parameters

Name	Type	Required	Description
Expr	scalar	✔️	The expression to evaluate whether the value is null. The expression can be any scalar value other than strings, arrays, or objects that always return `false`. For more information, see The dynamic data type.

Returns

Returns true if the value is null and false otherwise. Empty strings, arrays, property bags, and objects always return false.

The following table lists return values for different expressions (x):

x	`isnull(x)`
`""`	`false`
`"x"`	`false`
`parse_json("")`	`true`
`parse_json("[]")`	`false`
`parse_json("{}")`	`false`

Example

Find the storm events for which there’s no begin location.

StormEvents
| where isnull(BeginLat) and isnull(BeginLon)
| project StartTime, EndTime, EpisodeId, EventId, State, EventType, BeginLat, BeginLon

Output

StartTime	EndTime	EpisodeId	EventId	State	EventType	BeginLat	BeginLon
2007-01-01T00:00:00Z	2007-01-01T05:00:00Z	4171	23358	WISCONSIN	Winter Storm
2007-01-01T00:00:00Z	2007-01-31T23:59:00Z	1492	7067	MINNESOTA	Drought
2007-01-01T00:00:00Z	2007-01-31T23:59:00Z	1492	7068	MINNESOTA	Drought
2007-01-01T00:00:00Z	2007-01-31T23:59:00Z	1492	7069	MINNESOTA	Drought
2007-01-01T00:00:00Z	2007-01-31T23:59:00Z	1492	7065	MINNESOTA	Drought
2007-01-01T00:00:00Z	2007-01-31T23:59:00Z	1492	7070	MINNESOTA	Drought
2007-01-01T00:00:00Z	2007-01-31T23:59:00Z	1492	7071	MINNESOTA	Drought
2007-01-01T00:00:00Z	2007-01-31T23:59:00Z	1492	7072	MINNESOTA	Drought
2007-01-01T00:00:00Z	2007-01-31T23:59:00Z	2380	11735	MINNESOTA	Drought
2007-01-01T00:00:00Z	2007-01-31T23:59:00Z	1492	7073	MINNESOTA	Drought
2007-01-01T00:00:00Z	2007-01-31T23:59:00Z	2240	10857	TEXAS	Drought
2007-01-01T00:00:00Z	2007-01-31T23:59:00Z	2240	10858	TEXAS	Drought
2007-01-01T00:00:00Z	2007-01-31T23:59:00Z	1492	7066	MINNESOTA	Drought
…	…	…	…	…	…	…	…

147 - isutf8()

Learn how to use the isutf8() function to check if the argument is a valid utf8 string.

Returns true if the argument is a valid UTF8 string.

Syntax

isutf8(value)

Parameters

Name	Type	Required	Description
value	`string`	✔️	The value to check if a valid UTF8 string.

Returns

A boolean value indicating whether value is a valid UTF8 string.

Example

print result=isutf8("some string")

148 - jaccard_index()

Learn how to use the jaccard_index() function to calculate the Jaccard index of two input sets.

Calculates the Jaccard index of two input sets.

Syntax

jaccard_index(set1, set2)

Parameters

Name	Type	Required	Description
set1	`dynamic`	✔️	The array representing the first set for the calculation.
set2	`dynamic`	✔️	The array representing the second set for the calculation.

Returns

The Jaccard index of the two input sets. The Jaccard index formula is |set1 ∩ set2| / |set1 ∪ set2|.

Examples

print set1=dynamic([1,2,3]), set2=dynamic([1,2,3,4])
| extend jaccard=jaccard_index(set1, set2)

Output

`set1`	`set2`	`jaccard`
[1,2,3]	[1,2,3,4]	0.75

149 - log()

Learn how to use the log() function to return the natural logarithm of the input.

The natural logarithm is the base-e logarithm: the inverse of the natural exponential function (exp).

Syntax

log(number)

Parameters

Name	Type	Required	Description
number	`real`	✔️	The number for which to calculate the logarithm.

Returns

log() returns the natural logarithm of the input.
null if the argument is negative or null or can’t be converted to a real value.

Example

print result=log(5)

Output

result
1.6094379124341003

For common (base-10) logarithms, see log10().
For base-2 logarithms, see log2().

150 - log10()

Learn how to use the log10() function to return the common (base-10) logarithm of the input.

log10() returns the common (base-10) logarithm of the input.

Syntax

log10(number)

Parameters

Name	Type	Required	Description
number	`real`	✔️	The number for which to calculate the base-10 logarithm.

Returns

The common logarithm is the base-10 logarithm: the inverse of the exponential function (exp) with base 10.
null if the argument is negative or null or can’t be converted to a real value.

Example

print result=log10(5)

Output

result
0.69897000433601886

For natural (base-e) logarithms, see log().
For base-2 logarithms, see log2()

151 - log2()

Learn how to use the log2() function to return the base-2 logarithm of the input.

The logarithm is the base-2 logarithm: the inverse of the exponential function (exp) with base 2.

Syntax

log2(number)

Parameters

Name	Type	Required	Description
number	`real`	✔️	The number for which to calculate the base-2 logarithm.

Returns

The logarithm is the base-2 logarithm: the inverse of the exponential function (exp) with base 2.
null if the argument is negative or null or can’t be converted to a real value.

Example

print result=log2(5)

Output

result
2.3219280948873622

For natural (base-e) logarithms, see log().
For common (base-10) logarithms, see log10().

152 - loggamma()

Learn how to use the loggamma() function to compute the log of the absolute value of the gamma function.

Computes log of the absolute value of the gamma function

Syntax

loggamma(number)

Parameters

Name	Type	Required	Description
number	`real`	✔️	The number for which to calculate the gamma.

Example

print result=loggamma(5)

Output

result
3.1780538303479458

Returns

Returns the natural logarithm of the absolute value of the gamma function of x.
For computing gamma function, see gamma().

153 - make_datetime()

Learn how to use the make_datetime() function to create a datetime scalar value from the specified date and time.

Creates a datetime scalar value between the specified date and time.

Syntax

make_datetime(year, month, day)

make_datetime(year, month, day, hour, minute)

make_datetime(year, month, day, hour, minute, second)

Parameters

Name	Type	Required	Description
year	`int`	✔️	The year value between 0 to 9999.
month	`int`	✔️	The month value between 1 to 12.
day	`int`	✔️	The day value between 1 to 28-31, depending on the month.
hour	`int`		The hour value between 0 to 23.
minute	`int`		The minute value between 0 to 59.
second	double		The second value between 0 to 59.9999999.

Returns

If successful, the result will be a datetime value, otherwise, the result will be null.

Example

print year_month_day = make_datetime(2017,10,01)

Output

year_month_day
2017-10-01 00:00:00.0000000

print year_month_day_hour_minute = make_datetime(2017,10,01,12,10)

Output

year_month_day_hour_minute
2017-10-01 12:10:00.0000000

print year_month_day_hour_minute_second = make_datetime(2017,10,01,12,11,0.1234567)

Output

year_month_day_hour_minute_second
2017-10-01 12:11:00.1234567

154 - make_timespan()

Learn how to use the make_timespan() function to create a timespan scalar value from the specified time period.

Creates a timespan scalar value from the specified time period.

Syntax

make_timespan(hour, minute)

make_timespan(hour, minute, second)

make_timespan(day, hour, minute, second)

Parameters

Name	Type	Required	Description
day	`int`	✔️	The day.
hour	`int`	✔️	The hour. A value from 0-23.
minute	`int`		The minute. A value from 0-59.
second	`real`		The second. A value from 0 to 59.9999999.

Returns

If the creation is successful, the result will be a timespan value. Otherwise, the result will be null.

Example

print ['timespan'] = make_timespan(1,12,30,55.123)

Output

`timespan`
1.12:30:55.1230000

155 - max_of()

Learn how to use the max_of() function to return the maximum value of all argument expressions.

Returns the maximum value of all argument expressions.

Syntax

max_of(arg, arg_2, [ arg_3, … ])

Parameters

Name	Type	Required	Description
arg_i	scalar	✔️	The values to compare.

All arguments must be of the same type.
Maximum of 64 arguments is supported.
Non-null values take precedence to null values.

Returns

The maximum value of all argument expressions.

Examples

Find the largest number

This query returns the maximum value of the numbers in the string.

print result = max_of(10, 1, -3, 17)

Output

result
17

Find the maximum value in a data-table

This query returns the highest value from columns A and B. Notice that non-null values take precedence over null values.

datatable (A: int, B: int)
[
    1, 6,
    8, 1,
    int(null), 2,
    1, int(null),
    int(null), int(null)
]
| project max_of(A, B)

Output

result
6
8
2
1
(null)

Find the maximum datetime

This query returns the later of the two datetime values from columns A and B.

datatable (A: datetime, B: datetime)
[
    datetime(2024-12-15 07:15:22), datetime(2024-12-15 07:15:24),
    datetime(2024-12-15 08:00:00), datetime(2024-12-15 09:30:00),
    datetime(2024-12-15 10:45:00), datetime(2024-12-14 10:45:00)
]
| project maxDate = max_of(A, B)

Output

maxDate
2024-12-15 07:15:24
2024-12-15 09:30:00
2024-12-15 10:45:00

156 - merge_tdigest()

Learn how to use the merge_tdigest() function to merge columns.

Merges tdigest results (scalar version of the aggregate version tdigest_merge()).

Read more about the underlying algorithm (T-Digest) and the estimated error here.

Syntax

merge_tdigest(exprs)

Parameters

Name	Type	Required	Description
exprs	`dynamic`	✔️	One or more comma-separated column references that have the `tdigest` values to be merged.

Returns

The result for merging the columns *Expr1*, *Expr2*, … *ExprN* to one tdigest.

Example

range x from 1 to 10 step 1 
| extend y = x + 10
| summarize tdigestX = tdigest(x), tdigestY = tdigest(y)
| project merged = merge_tdigest(tdigestX, tdigestY)
| project percentile_tdigest(merged, 100, typeof(long))

Output

percentile_tdigest_merged
20

157 - min_of()

Learn how to use the min_of() function to return the minimum value of all argument expressions.

Returns the minimum value of several evaluated scalar expressions.

Syntax

min_of (arg, arg_2, [ arg_3, … ])

Parameters

Name	Type	Required	Description
arg, arg_2, …	scalar	✔️	A comma separated list of 2-64 scalar expressions to compare. The function returns the minimum value among these expressions.

All arguments must be of the same type.
Maximum of 64 arguments is supported.
Non-null values take precedence to null values.

Returns

The minimum value of all argument expressions.

Examples

Find the maximum value in an array:

print result=min_of(10, 1, -3, 17)

Output

result
-3

Find the minimum value in a data-table. Non-null values take precedence over null values:

datatable (A: int, B: int)
[
    5, 2,
    10, 1,
    int(null), 3,
    1, int(null),
    int(null), int(null)
]
| project min_of(A, B)

Output

result
2
1
3
1
(null)

158 - monthofyear()

Learn how to use the monthofyear() function to get the integer representation of the month.

Returns the integer number from 1-12 representing the month number of the given year.

Syntax

monthofyear(date)

Parameters

Name	Type	Required	Description
date	`datetime`	✔️	The date for which to find the month number.

Returns

An integer from 1-12 representing the month number of the given year.

Example

print result=monthofyear(datetime("2015-12-14"))

Output

result
12

159 - new_guid()

Learn how to use the new_guid() function to return a random GUID (Globally Unique Identifier).

Returns a random GUID (Globally Unique Identifier).

Syntax

new_guid()

Returns

A new value of type guid.

Example

print guid=new_guid()

Output

guid
2157828f-e871-479a-9d1c-17ffde915095

160 - not()

Learn how to use the not() function to reverse the value of its boolean argument.

Reverses the value of its bool argument.

Syntax

not(expr)

Parameters

Name	Type	Required	Description
expr	scalar	✔️	An expression that evaluates to a boolean value. The result of this expression is reversed.

Returns

Returns the reversed logical value of its bool argument.

Examples

The following query returns the number of events that are not a tornado, per state.

StormEvents 
| where not(EventType == "Tornado") 
| summarize count() by State

Output

State	Count
TEXAS	4485
KANSAS	3005
IOWA	2286
ILLINOIS	1999
MISSOURI	1971
GEORGIA	1927
MINNESOTA	1863
WISCONSIN	1829
NEBRASKA	1715
NEW YORK	1746
…	…

The following query excludes records where either the EventType is hail, or the state is Alaska.

StormEvents
| where not(EventType == "Hail" or State == "Alaska")

The next query excludes records where both the EventType is hail and the state is Alaska simultaneously.

StormEvents
| where not(EventType == "Hail" and State == "Alaska")

Combine with other conditions

You can also combine the not() function with other conditions. The following query returns all records where the EventType is not a flood and the property damage is greater than $1,000,000.

StormEvents
| where not(EventType == "Flood") and DamageProperty > 1000000

161 - now()

Learn how to use the now() function to return the current UTC time.

Returns the current UTC time, optionally offset by a given timespan.

The current UTC time will stay the same across all uses of now() in a single query statement, even if there’s technically a small time difference between when each now() runs.

Syntax

now([ offset ])

Parameters

Name	Type	Required	Description
offset	`timespan`		A timespan to add to the current UTC clock time. The default value is 0.

Returns

The current UTC clock time, plus the offset time if provided, as a datetime.

Examples

Show the current time

print now()

Show the time 2 days ago

print now(-2d)

Find time elapsed from a given event

The following example shows the time elapsed since the start of the storm events.

StormEvents
| extend Elapsed=now() - StartTime
| take 10

Get the date relative to a specific time interval

let T = datatable(label: string, timespanValue: timespan) [
    "minute", 60s, 
    "hour", 1h, 
    "day", 1d, 
    "year", 365d
];
T 
| extend timeAgo = now() - timespanValue

Output

label	timespanValue	timeAgo
year	365.00:00:00	2022-06-19T08:22:54.6623324Z
day	1.00:00:00	2023-06-18T08:22:54.6623324Z
hour	01:00:00	2023-06-19T07:22:54.6623324Z
minute	00:01:00	2023-06-19T08:21:54.6623324Z

162 - pack_all()

Learn how to use the pack_all() function to create a dynamic object from all the columns of the tabular expression.

Creates a dynamic property bag object from all the columns of the tabular expression.

Syntax

pack_all([ ignore_null_empty ])

Parameters

Name	Type	Required	Description
ignore_null_empty	`bool`		Indicates whether to ignore null/empty columns and exclude them from the resulting property bag. The default value is `false`.

Example

The following query will use pack_all() to create columns for the below table.

SourceNumber	TargetNumber	CharsCount
555-555-1234	555-555-1212	46
555-555-1234	555-555-1213	50
555-555-1313		42
	555-555-3456	74

datatable(SourceNumber:string,TargetNumber:string,CharsCount:long)
[
'555-555-1234','555-555-1212',46,
'555-555-1234','555-555-1213',50,
'555-555-1313','',42, 
'','555-555-3456',74 
]
| extend Packed=pack_all(), PackedIgnoreNullEmpty=pack_all(true)

Output

SourceNumber	TargetNumber	CharsCount	Packed	PackedIgnoreNullEmpty
555-555-1234	555-555-1212	46	{“SourceNumber”:“555-555-1234”, “TargetNumber”:“555-555-1212”, “CharsCount”: 46}	{“SourceNumber”:“555-555-1234”, “TargetNumber”:“555-555-1212”, “CharsCount”: 46}
555-555-1234	555-555-1213	50	{“SourceNumber”:“555-555-1234”, “TargetNumber”:“555-555-1213”, “CharsCount”: 50}	{“SourceNumber”:“555-555-1234”, “TargetNumber”:“555-555-1213”, “CharsCount”: 50}
555-555-1313		42	{“SourceNumber”:“555-555-1313”, “TargetNumber”:"", “CharsCount”: 42}	{“SourceNumber”:“555-555-1313”, “CharsCount”: 42}
	555-555-3456	74	{“SourceNumber”:"", “TargetNumber”:“555-555-3456”, “CharsCount”: 74}	{“TargetNumber”:“555-555-3456”, “CharsCount”: 74}

163 - pack_array()

Learn how to use the pack_array() function to pack all input values into a dynamic array.

Packs all input values into a dynamic array.

Syntax

pack_array(value1, [ value2, … ])

pack_array(*)

Parameters

Name	Type	Required	Description
value1…valueN	`string`	✔️	Input expressions to be packed into a dynamic array.
The wildcard ``*	`string`		Providing the wildcard `*` packs all input columns into a dynamic array.

Returns

A dynamic array that includes the values of value1, value2, … valueN.

Example

range x from 1 to 3 step 1
| extend y = x * 2
| extend z = y * 2
| project pack_array(x, y, z)

Output

Column1
[1,2,4]
[2,4,8]
[3,6,12]

range x from 1 to 3 step 1
| extend y = tostring(x * 2)
| extend z = (x * 2) * 1s
| project pack_array(x, y, z)

Output

Column1
[1,“2”,“00:00:02”]
[2,“4”,“00:00:04”]
[3,“6”,“00:00:06”]

164 - parse_command_line()

Learn how to use the parse_command_line() function to parse a unicode command-line string.

Parses a Unicode command-line string and returns a dynamic array of the command-line arguments.

Syntax

parse_command_line(command_line, parser_type)

Parameters

Name	Type	Required	Description
command_line	`string`	✔️	The command line value to parse.
parser_type	`string`	✔️	The only value that is currently supported is `"windows"`, which parses the command line the same way as CommandLineToArgvW.

Returns

A dynamic array of the command-line arguments.

Example

print parse_command_line("echo \"hello world!\"", "windows")

Output

Result
[“echo”,“hello world!”]

165 - parse_csv()

Learn how to use the parse_csv() function to split a given string representing a single record of comma-separated values.

Splits a given string representing a single record of comma-separated values and returns a string array with these values.

Syntax

parse_csv(csv_text)

Parameters

Name	Type	Required	Description
csv_text	`string`	✔️	A single record of comma-separated values.

Returns

A string array that contains the split values.

Examples

Filter by count of values in record

Count the conference sessions with more than three participants.

ConferenceSessions
| where array_length(parse_csv(participants)) > 3
| distinct *

Output

sessionid	…	participants
CON-PRT157	…	Guy Reginiano, Guy Yehudy, Pankaj Suri, Saeed Copty
BRK3099	…	Yoni Leibowitz, Eric Fleischman, Robert Pack, Avner Aharoni

Use escaping quotes

print result=parse_csv('aa,"b,b,b",cc,"Escaping quotes: ""Title""","line1\nline2"')

Output

result
[ “aa”, “b,b,b”, “cc”, “Escaping quotes: "Title"”, “line1\nline2” ]

CSV with multiple records

Only the first record is taken since this function doesn’t support multiple records.

print result_multi_record=parse_csv('record1,a,b,c\nrecord2,x,y,z')

Output

result_multi_record
[ “record1”, “a”, “b”, “c” ]

166 - parse_ipv4_mask()

Learn how to use the parse_ipv4_mask() function to convert an IPv4 input string and netmask to a 64-bit wide long number in big-endian order.

Converts the input string of IPv4 and netmask to a signed, 64-bit wide, long number representation in big-endian order.

Syntax

parse_ipv4_mask(ip , prefix)

Parameters

Name	Type	Required	Description
ip	`string`	✔️	The IPv4 address to convert to a long number.
prefix	`int`	✔️	An integer from 0 to 32 representing the number of most-significant bits that are taken into account.

Returns

If conversion is successful, the result is a long number. If conversion isn’t successful, the result is null.

Example

print parse_ipv4_mask("127.0.0.1", 24)

167 - parse_ipv4()

Learn how to use the parse_ipv4() function to convert an IPv4 string to a long number in big-endian order.

Converts IPv4 string to a signed 64-bit wide long number representation in big-endian order.

Syntax

parse_ipv4(ip)

Parameters

Name	Type	Required	Description
ip	`string`	✔️	The IPv4 that is converted to long. The value may include net-mask using IP-prefix notation.

Returns

If conversion is successful, the result is a long number. If conversion isn’t successful, the result is null.

Example

datatable(ip_string: string)
[
    '192.168.1.1', '192.168.1.1/24', '255.255.255.255/31'
]
| extend ip_long = parse_ipv4(ip_string)

Output

ip_string	ip_long
192.168.1.1	3232235777
192.168.1.1/24	3232235776
255.255.255.255/31	4294967294

168 - parse_ipv6_mask()

Learn how to use the parse_ipv6_mask() function to convert IPv6 or IPv4 strings and netmask to a canonical IPv6 string representation.

Converts IPv6/IPv4 string and netmask to a canonical IPv6 string representation.

Syntax

parse_ipv6_mask(ip, prefix)

Parameters

Name	Type	Required	Description
ip	`string`		The IPv6/IPv4 network address to convert to canonical IPv6 representation. The value may include net-mask using IP-prefix notation.
prefix	`int`		An integer from 0 to 128 representing the number of most-significant bits that are taken into account.

Returns

If conversion is successful, the result is a string representing a canonical IPv6 network address. If conversion isn’t successful, the result is an empty string.

Example

datatable(ip_string: string, netmask: long)
[
    // IPv4 addresses
    '192.168.255.255', 120,  // 120-bit netmask is used
    '192.168.255.255/24', 124,  // 120-bit netmask is used, as IPv4 address doesn't use upper 8 bits
    '255.255.255.255', 128,  // 128-bit netmask is used
    // IPv6 addresses
    'fe80::85d:e82c:9446:7994', 128,     // 128-bit netmask is used
    'fe80::85d:e82c:9446:7994/120', 124, // 120-bit netmask is used
    // IPv6 with IPv4 notation
    '::192.168.255.255', 128,  // 128-bit netmask is used
    '::192.168.255.255/24', 128,  // 120-bit netmask is used, as IPv4 address doesn't use upper 8 bits
]
| extend ip6_canonical = parse_ipv6_mask(ip_string, netmask)

Output

ip_string	netmask	ip6_canonical
192.168.255.255	120	0000:0000:0000:0000:0000:ffff:c0a8:ff00
192.168.255.255/24	124	0000:0000:0000:0000:0000:ffff:c0a8:ff00
255.255.255.255	128	0000:0000:0000:0000:0000:ffff:ffff:ffff
fe80::85d:e82c:9446:7994	128	fe80:0000:0000:0000:085d:e82c:9446:7994
fe80::85d:e82c:9446:7994/120	124	fe80:0000:0000:0000:085d:e82c:9446:7900
::192.168.255.255	128	0000:0000:0000:0000:0000:ffff:c0a8:ffff
::192.168.255.255/24	128	0000:0000:0000:0000:0000:ffff:c0a8:ff00

169 - parse_ipv6()

Learn how to use the parse_ipv6() function to convert IPv6 or IPv4 strings to a canonical IPv6 string representation.

Converts IPv6 or IPv4 string to a canonical IPv6 string representation.

Syntax

parse_ipv6(ip)

Parameters

Name	Type	Required	Description
ip	`string`	✔️	The IPv6/IPv4 network address that is converted to canonical IPv6 representation. The value may include net-mask using IP-prefix notation.

Returns

If conversion is successful, the result is a string representing a canonical IPv6 network address. If conversion isn’t successful, the result is an empty string.

Example

datatable(ipv4: string)
[
    '192.168.255.255', '192.168.255.255/24', '255.255.255.255'
]
| extend ipv6 = parse_ipv6(ipv4)

Output

ipv4	ipv6
192.168.255.255	0000:0000:0000:0000:0000:ffff:c0a8:ffff
192.168.255.255/24	0000:0000:0000:0000:0000:ffff:c0a8:ff00
255.255.255.255	0000:0000:0000:0000:0000:ffff:ffff:ffff

170 - parse_json() function

Learn how to use the parse_json() function to return an object of type dynamic.

Interprets a string as a JSON value and returns the value as dynamic. If possible, the value is converted into relevant data types. For strict parsing with no data type conversion, use extract() or extract_json() functions.

It’s better to use the parse_json() function over the extract_json() function when you need to extract more than one element of a JSON compound object. Use dynamic() when possible.

Syntax

parse_json(json)

Parameters

Name	Type	Required	Description
json	`string`	✔️	The string in the form of a JSON-formatted value or a dynamic property bag to parse as JSON.

Returns

An object of type dynamic that is determined by the value of json:

If json is of type dynamic, its value is used as-is.
If json is of type string, and is a properly formatted JSON string, then the string is parsed, and the value produced is returned.
If json is of type string, but it isn’t a properly formatted JSON string, then the returned value is an object of type dynamic that holds the original string value.

Example

In the following example, when context_custom_metrics is a string that looks like this:

{"duration":{"value":118.0,"count":5.0,"min":100.0,"max":150.0,"stdDev":0.0,"sampledValue":118.0,"sum":118.0}}

then the following query retrieves the value of the duration slot in the object, and from that it retrieves two slots, duration.value and duration.min (118.0 and 110.0, respectively).

datatable(context_custom_metrics:string)
[
    '{"duration":{"value":118.0,"count":5.0,"min":100.0,"max":150.0,"stdDev":0.0,"sampledValue":118.0,"sum":118.0}}'
]
| extend d = parse_json(context_custom_metrics)
| extend duration_value = d.duration.value, duration_min = d.duration.min

Notes

It’s common to have a JSON string describing a property bag in which one of the “slots” is another JSON string.

For example:

let d='{"a":123, "b":"{\\"c\\":456}"}';
print d

In such cases, it isn’t only necessary to invoke parse_json twice, but also to make sure that in the second call, tostring is used. Otherwise, the second call to parse_json will just pass on the input to the output as-is, because its declared type is dynamic.

let d='{"a":123, "b":"{\\"c\\":456}"}';
print d_b_c=parse_json(tostring(parse_json(d).b)).c

parse operator

171 - parse_path()

Learn how to use the parse_path() function to parse a file path.

Parses a file path string and returns a dynamic object that contains the following parts of the path:

Scheme
RootPath
DirectoryPath
DirectoryName
Filename
Extension
AlternateDataStreamName

In addition to the simple paths with both types of slashes, the function supports paths with:

Schemas. For example, “file://…”
Shared paths. For example, “\shareddrive\users…”
Long paths. For example, “\?\C:…”"

Syntax

parse_path(path)

Parameters

Name	Type	Required	Description
path	`string`	✔️	The file path.

Returns

An object of type dynamic that included the path components as listed above.

Example

datatable(p:string) 
[
    @"C:\temp\file.txt",
    @"temp\file.txt",
    "file://C:/temp/file.txt:some.exe",
    @"\\shared\users\temp\file.txt.gz",
    "/usr/lib/temp/file.txt"
]
| extend path_parts = parse_path(p)

Output

p	path_parts
C:\temp\file.txt	{“Scheme”:"",“RootPath”:“C:”,“DirectoryPath”:“C:\temp”,“DirectoryName”:“temp”,“Filename”:“file.txt”,“Extension”:“txt”,“AlternateDataStreamName”:""}
temp\file.txt	{“Scheme”:"",“RootPath”:"",“DirectoryPath”:“temp”,“DirectoryName”:“temp”,“Filename”:“file.txt”,“Extension”:“txt”,“AlternateDataStreamName”:""}
file://C:/temp/file.txt:some.exe	{“Scheme”:“file”,“RootPath”:“C:”,“DirectoryPath”:“C:/temp”,“DirectoryName”:“temp”,“Filename”:“file.txt”,“Extension”:“txt”,“AlternateDataStreamName”:“some.exe”}
\shared\users\temp\file.txt.gz	{“Scheme”:"",“RootPath”:"",“DirectoryPath”:"\\shared\users\temp",“DirectoryName”:“temp”,“Filename”:“file.txt.gz”,“Extension”:“gz”,“AlternateDataStreamName”:""}
/usr/lib/temp/file.txt	{“Scheme”:"",“RootPath”:"",“DirectoryPath”:"/usr/lib/temp",“DirectoryName”:“temp”,“Filename”:“file.txt”,“Extension”:“txt”,“AlternateDataStreamName”:""}

172 - parse_url()

Learn how to use the parse_url() function to parse a URL string.

Parses an absolute URL string and returns a dynamic object contains URL parts.

Syntax

parse_url(url)

Parameters

Name	Type	Required	Description
url	`string`	✔️	An absolute URL, including its scheme, or the query part of the URL. For example, use the absolute `https://bing.com` instead of `bing.com`.

Returns

An object of type dynamic that included the URL components: Scheme, Host, Port, Path, Username, Password, Query Parameters, Fragment.

Example

print Result=parse_url("scheme://username:password@host:1234/this/is/a/path?k1=v1&k2=v2#fragment")

Output

Result
{“Scheme”:“scheme”, “Host”:“host”, “Port”:“1234”, “Path”:“this/is/a/path”, “Username”:“username”, “Password”:“password”, “Query Parameters”:"{“k1”:“v1”, “k2”:“v2”}", “Fragment”:“fragment”}

173 - parse_urlquery()

Learn how to use the parse_urlquery() function to return a dynamic object that contains the query parameters.

Returns a dynamic object that contains the query parameters.

Syntax

parse_urlquery(query)

Parameters

Name	Type	Required	Description
query	`string`	✔️	The query part of the URL. The format must follow URL query standards (key=value& …).

Returns

An object of type dynamic that includes the query parameters.

Examples

print Result=parse_urlquery("k1=v1&k2=v2&k3=v3")

Output

Result
{ “Query Parameters”:"{“k1”:“v1”, “k2”:“v2”, “k3”:“v3”}" }

The following example uses a function to extract specific query parameters.

let getQueryParamValue = (querystring: string, param: string) {
    let params = parse_urlquery(querystring);
    tostring(params["Query Parameters"].[param])
};
print UrlQuery = 'view=vs-2019&preserve-view=true'
| extend view = getQueryParamValue(UrlQuery, 'view')
| extend preserve = getQueryParamValue(UrlQuery, 'preserve-view')

Output

UrlQuery	view	preserve
view=vs-2019&preserve-view=true	vs-2019	true

174 - parse_user_agent()

Learn how to use the parse_user_agent() to return a dynamic object that contains information about the user-agent.

Interprets a user-agent string, which identifies the user’s browser and provides certain system details to servers hosting the websites the user visits. The result is returned as dynamic.

Syntax

parse_user_agent(user-agent-string, look-for)

Parameters

Name	Type	Required	Description
user-agent-string	`string`	✔️	The user-agent string to parse.
look-for	string or dynamic	✔️	The value to search for in user-agent-string. The possible options are “browser”, “os”, or “device”. If only a single parsing target is required, it can be passed a `string` parameter. If two or three targets are required, they can be passed as a `dynamic` array.

Returns

An object of type dynamic that contains the information about the requested parsing targets.

Browser: Family, MajorVersion, MinorVersion, Patch

OperatingSystem: Family, MajorVersion, MinorVersion, Patch, PatchMinor

Device: Family, Brand, Model

When the function is used in a query, make sure it runs in a distributed manner on multiple machines. If queries with this function are frequently used, you may want to pre-create the results via update policy, but you need to take into account that using this function inside the update policy will increase the ingestion latency.

Examples

Look-for parameter as string

print useragent = "Mozilla/5.0 (Windows; U; en-US) AppleWebKit/531.9 (KHTML, like Gecko) AdobeAIR/2.5.1"
| extend x = parse_user_agent(useragent, "browser")

Expected result is a dynamic object:

{
  "Browser": {
    "Family": "AdobeAIR",
    "MajorVersion": "2",
    "MinorVersion": "5",
    "Patch": "1"
  }
}

Look-for parameter as dynamic array

print useragent = "Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaN81-3/10.0.032 Profile/MIDP-2.0 Configuration/CLDC-1.1 ) AppleWebKit/413 (KHTML, like Gecko) Safari/4"
| extend x = parse_user_agent(useragent, dynamic(["browser","os","device"]))

Expected result is a dynamic object:

{
  "Browser": {
    "Family": "Nokia OSS Browser",
    "MajorVersion": "3",
    "MinorVersion": "1",
    "Patch": ""
  },
  "OperatingSystem": {
    "Family": "Symbian OS",
    "MajorVersion": "9",
    "MinorVersion": "2",
    "Patch": "",
    "PatchMinor": ""
  },
  "Device": {
    "Family": "Nokia N81",
    "Brand": "Nokia",
    "Model": "N81-3"
  }
}

175 - parse_version()

Learn how to use the parse_version() function to convert the input string representation of the version to a comparable decimal number,

Converts the input string representation of a version number into a decimal number that can be compared.

Syntax

parse_version (version)

Parameters

Name	Type	Required	Description
version	`string`	✔️	The version to be parsed.

Returns

If conversion is successful, the result is a decimal; otherwise, the result is null.

Examples

Parse version strings

The following query shows version strings with their parsed version numbers.

let dt = datatable(v: string)
    [
    "0.0.0.5", "0.0.7.0", "0.0.3", "0.2", "0.1.2.0", "1.2.3.4", "1"
];
dt
| extend parsedVersion = parse_version(v)

Output

v	parsedVersion
0.0.0.5	5
0.0.7.0	700,000,000
0.0.3	300,000,000
0.2	20,000,000,000,000,000
0.1.2.0	10,000,000,200,000,000
1.2.3.4	1,000,000,020,000,000,300,000,004
1	1,000,000,000,000,000,000,000,000

Compare parsed version strings

The following query identifies which labs have equipment needing updates by comparing their parsed version strings to the minimum version number “1.0.0.0”.

let dt = datatable(lab: string, v: string)
[
    "Lab A", "0.0.0.5",
    "Lab B", "0.0.7.0",
    "Lab D","0.0.3",
    "Lab C", "0.2", 
    "Lab G", "0.1.2.0",
    "Lab F", "1.2.3.4",
    "Lab E", "1",
];
dt
| extend parsed_version = parse_version(v)
| extend needs_update = iff(parsed_version < parse_version("1.0.0.0"), "Yes", "No")
| project lab, v, needs_update
| sort by lab asc , v, needs_update

Output

lab	v	needs_update
Lab A	0.0.0.5	Yes
Lab B	0.0.7.0	Yes
Lab C	0.2	Yes
Lab D	0.0.3	Yes
Lab E	1	No
Lab F	1.2.3.4	No
Lab G	0.1.2.0	Yes

176 - parse_xml()

Learn how to use the parse_xml() function to return a dynamic object that is determined by the value of XML.

Interprets a string as an XML value, converts the value to a JSON, and returns the value as dynamic.

Syntax

parse_xml(xml)

Parameters

Name	Type	Required	Description
xml	`string`	✔️	The XML-formatted string value to parse.

Returns

An object of type dynamic that is determined by the value of xml, or null, if the XML format is invalid.

The conversion is done as follows:

XML	JSON	Access
`<e/>`	{ “e”: null }	o.e
`<e>text</e>`	{ “e”: “text” }	o.e
`<e name="value" />`	{ “e”:{"@name": “value”} }	o.e["@name"]
`<e name="value">text</e>`	{ “e”: { “@name”: “value”, “#text”: “text” } }	o.e["@name"] o.e["#text"]
`<e> <a>text</a> <b>text</b> </e>`	{ “e”: { “a”: “text”, “b”: “text” } }	o.e.a o.e.b
`<e> <a>text</a> <a>text</a> </e>`	{ “e”: { “a”: [“text”, “text”] } }	o.e.a[0] o.e.a[1]
`<e> text <a>text</a> </e>`	{ “e”: { “#text”: “text”, “a”: “text” } }	1`o.e["#text"] o.e.a

Example

In the following example, when context_custom_metrics is a string that looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<duration>
    <value>118.0</value>
    <count>5.0</count>
    <min>100.0</min>
    <max>150.0</max>
    <stdDev>0.0</stdDev>
    <sampledValue>118.0</sampledValue>
    <sum>118.0</sum>
</duration>

then the following CSL Fragment translates the XML to the following JSON:

{
    "duration": {
        "value": 118.0,
        "count": 5.0,
        "min": 100.0,
        "max": 150.0,
        "stdDev": 0.0,
        "sampledValue": 118.0,
        "sum": 118.0
    }
}

and retrieves the value of the duration slot in the object, and from that it retrieves two slots, duration.value and duration.min (118.0 and 100.0, respectively).

T
| extend d=parse_xml(context_custom_metrics) 
| extend duration_value=d.duration.value, duration_min=d["duration"]["min"]

177 - percentile_array_tdigest()

Learn how to use the percentile_array_tdigest() to calculate the percentile value of an expression.

Calculates the percentile result from the tdigest results (which was generated by tdigest() or tdigest_merge())

Syntax

percentiles_array_tdigest(tdigest, percentile1 [, percentile2, …])

percentiles_array_tdigest(tdigest, Dynamic array [, typeLiteral ])

Parameters

Name	Type	Required	Description
tdigest	`string`	✔️	The `tdigest` or tdigest_merge() results used to calculate the percentiles.
percentile	`real`	✔️	A value or comma-separated list of values that specifies the percentiles.
Dynamic array	`dynamic`	✔️	A dynamic array of real numbers that specify the percentiles.
typeLiteral	`string`		A type literal. For example, `typeof(long)`. If provided, the result set is of this type.

Returns

The percentile/percentiles value of each value in tdigest.

a dynamic array that includes the results. (such like percentiles())

Examples

StormEvents
| summarize tdigestRes = tdigest(DamageProperty) by State
| project percentiles_array_tdigest(tdigestRes, range(0, 100, 50), typeof(int))

Output

percentile_tdigest_tdigestRes
[0,0,0]
[0,0,62000000]
[0,0,110000000]
[0,0,1200000]
[0,0,250000]

178 - percentile_tdigest()

Learn how to use the percentile_tdigest() function to calculate the percentile value of an expression.

Calculates the percentile result from the tdigest results (which was generated by tdigest() or tdigest_merge())

Syntax

percentile_tdigest(expr, percentile1 , typeLiteral)

Parameters

Name	Type	Required	Description
expr	`string`	✔️	An expression that was generated by `tdigest` or tdigest_merge().
percentile	`long`	✔️	The value that specifies the percentile.
typeLiteral	`string`		A type literal. If provided, the result set will be of this type. For example, `typeof(long)` will cast all results to type `long`.

Returns

The percentile value of each value in expr.

Examples

StormEvents
| summarize tdigestRes = tdigest(DamageProperty) by State
| project percentile_tdigest(tdigestRes, 100)

Output

percentile_tdigest_tdigestRes
0
62000000
110000000
1200000
250000

StormEvents
| summarize tdigestRes = tdigest(DamageProperty) by State
| union (StormEvents | summarize tdigestRes = tdigest(EndTime) by State)
| project percentile_tdigest(tdigestRes, 100)

Output

percentile_tdigest_tdigestRes
[0]
[62000000]
[“2007-12-20T11:30:00.0000000Z”]
[“2007-12-31T23:59:00.0000000Z”]

179 - percentrank_tdigest()

Learn how to use the percentrank_tdigest() function to calculate the approximate rank of the value in a set.

Calculates the approximate rank of the value in a set, where rank is expressed as a percentage of the set’s size. This function can be viewed as the inverse of the percentile.

Syntax

percentrank_tdigest(digest, value)

Parameters

Name	Type	Required	Description
digest	`string`	✔️	An expression that was generated by tdigest() or tdigest_merge().
value	scalar	✔️	An expression representing a value to be used for percentage ranking calculation.

Returns

The percentage rank of value in a dataset.

Examples

Getting the percentrank_tdigest() of the damage property that valued 4490$ is ~85%:

StormEvents
| summarize tdigestRes = tdigest(DamageProperty)
| project percentrank_tdigest(tdigestRes, 4490)

Output

Column1
85.0015237192293

Using percentile 85 over the damage property should give 4490$:

StormEvents
| summarize tdigestRes = tdigest(DamageProperty)
| project percentile_tdigest(tdigestRes, 85, typeof(long))

Output

percentile_tdigest_tdigestRes
4490

180 - pi()

Learn how to use the pi() function to return the constant value of Pi.

Returns the constant value of Pi.

Syntax

pi()

Returns

The double value of Pi (3.1415926…)

181 - pow()

Learn how to use the pow() function to calculate the base raised to the power of the exponent.

Returns a result of raising to power

Syntax

pow(base, exponent )

Parameters

Name	Type	Required	Description
base	int, real, or long	✔️	The base value.
exponent	int, real, or long	✔️	The exponent value.

Returns

Returns base raised to the power exponent: base ^ exponent.

Example

print result=pow(2, 3)

Output

result
8

182 - punycode_domain_from_string

This article describes the punycode_domain_from_string() command.

Decodes input string from encoded Internationalized Domain Name in Applications (IDNA) punycode form.

Syntax

punycode_domain_from_string(encoded_string)

Parameters

Name	Type	Required	Description
encoded_string	`string`	✔️	An IDNA string to be decoded from punycode form. The function accepts one string argument.

Returns

Returns a string that represents the original Internationalized Domain Name.
Returns an empty result if decoding failed.

Example

datatable(encoded:string)
[
    "xn--Ge-mia.Bulg.edu", 
    "xn--Lin-8na.Celtchair.org", 
    "xn--Ry-lja8c.xn--Jng-uta63a.xn--Bng-9ka.com", 
] 
| extend domain=punycode_domain_from_string(encoded)

encoded	domain
xn–Ge-mia.Bulg.edu	Gáe.Bulg.edu
xn–Lin-8na.Celtchair.org	Lúin.Celtchair.org
xn–Ry-lja8c.xn–Jng-uta63a.xn–Bng-9ka.com	Rúyì.Jīngū.Bàng.com

To encode a domain name to punycode form, see punycode_domain_to_string().

183 - punycode_domain_to_string

This article describes the punycode_domain_to_string() command.

Encodes Internationalized Domain Name in Applications (IDNA) string to Punycode form.

Syntax

punycode_domain_to_string(domain)

Parameters

Name	Type	Required	Description
domain	`string`	✔️	A string to be encoded to punycode form. The function accepts one string argument.

Returns

Returns a string that represents punycode-encoded original string.
Returns an empty result if encoding failed.

Examples

datatable(domain:string )['Lê Lợi。Thuận Thiên。com', 'Riðill｡Skáldskaparmál｡org', "Kaledvoulc'h.Artorījos.edu"]
| extend str=punycode_domain_to_string(domain)

domain	str
Lê Lợi。Thuận Thiên。com	xn–L Li-gpa4517b.xn–Thun Thin-s4a7194f.com
Riðill｡Skáldskaparmál｡org	xn–Riill-jta.xn–Skldskaparml-dbbj.org
Kaledvoulc’h.Artorījos.edu	Kaledvoulc’h.xn–Artorjos-ejb.edu

To retrieve the original decoded string, see punycode_domain_from_string().

184 - punycode_from_string

This article describes the punycode_from_string() command.

Encodes input string to Punycode form. The result string contains only ASCII characters. The result string doesn’t start with “xn–”.

Syntax

punycode_from_string('input_string')

Parameters

Name	Type	Required	Description
input_string	`string`	✔️	A string to be encoded to punycode form. The function accepts one string argument.

Returns

Returns a string that represents punycode-encoded original string.
Returns an empty result if encoding failed.

Examples

 print encoded = punycode_from_string('académie-française')

encoded
acadmie-franaise-npb1a

 print domain='艺术.com'
| extend domain_vec = split(domain, '.')
| extend encoded_host = punycode_from_string(tostring(domain_vec[0]))
| extend encoded_domain = strcat('xn--', encoded_host, '.', domain_vec[1])

domain	domain_vec	encoded_host	encoded_domain
艺术.com	[“艺术”,“com”]	cqv902d	xn–cqv902d.com

Use punycode_to_string() to retrieve the original decoded string.

185 - punycode_to_string

This article describes the punycode_to_string() command.

Decodes input string from punycode form. The string shouldn’t contain the initial xn–, and must contain only ASCII characters.

Syntax

punycode_to_string('input_string')

Parameters

Name	Type	Required	Description
input_string	`string`	✔️	A string to be decoded from punycode form. The function accepts one string argument.

Returns

Returns a string that represents the original, decoded string.
Returns an empty result if decoding failed.

Example

 print decoded = punycode_to_string('acadmie-franaise-npb1a')

decoded
académie-française

Use punycode_from_string() to encode a string to punycode form.

186 - radians()

Learn how to use the radians() function to convert angle values from degrees to radians.

Converts angle value in degrees into value in radians, using formula radians = (PI / 180 ) * angle_in_degrees

Syntax

radians(degrees)

Parameters

Name	Type	Required	Description
degrees	`real`	✔️	The angle in degrees.

Returns

The corresponding angle in radians for an angle specified in degrees.

Example

print radians0 = radians(90), radians1 = radians(180), radians2 = radians(360)

Output

radians0	radians1	radians2
1.5707963267949	3.14159265358979	6.28318530717959

187 - rand()

Learn how to use the rand() function to return a random number.

Returns a random number.

rand()
rand(1000)

Syntax

rand() - returns a value of type real with a uniform distribution in the range [0.0, 1.0).
rand( N ) - returns a value of type real chosen with a uniform distribution from the set {0.0, 1.0, …, N - 1}.

188 - range()

Learn how to use the range() function to generate a dynamic array holding a series of equally spaced values.

Generates a dynamic array holding a series of equally spaced values.

Syntax

range(start, stop [, step])

Parameters

Name	Type	Required	Description
start	scalar	✔️	The value of the first element in the resulting array.
stop	scalar	✔️	The maximum value of the last element in the resulting array, such that the last value in the series is less than or equal to the stop value.
step	scalar		The difference between two consecutive elements of the array. The default value for step is `1` for numeric and `1h` for `timespan` or `datetime`.

Returns

A dynamic array whose values are: start, start + step, … up to and including stop. The array is truncated if the maximum number of results allowed is reached.

Examples

The following example returns an array of numbers from one to eight, with an increment of three.

print r = range(1, 8, 3)

Output

r
[1,4,7]

The following example returns an array with all dates from the year 2007.

print r = range(datetime(2007-01-01), datetime(2007-12-31), 1d)

Output

r
[“2007-01-01T00:00:00.0000000Z”,“2007-01-02T00:00:00.0000000Z”,“2007-01-03T00:00:00.0000000Z”,…..,“2007-12-31T00:00:00.0000000Z”]

The following example returns an array with numbers between one and three.

print range(1, 3)

Output

print_0
[1,2,3]

The following example returns a range of hours between one hour and five hours.

print range(1h, 5h)

Output

print_0
1,000,000
`["01:00:00","02:00:00","03:00:00","04:00:00","05:00:00"]`:

The following example returns a truncated array as the range exceeds the maximum results limit. The example demonstrates that the limit is exceeded by using the mv-expand operator to expand the array into multiple records and then counting the number of records.

" target="_blank">Run the query

print r = range(1,1000000000) 
| mv-expand r 
| count

Output

Count
1,048,576

189 - rank_tdigest()

Learn how to use the rank_tdigest() function to calculate the approximate rank of the value in a set.

Calculates the approximate rank of the value in a set. Rank of value v in a set S is defined as count of members of S that are smaller or equal to v, S is represented by its tdigest.

Syntax

rank_tdigest(digest, value)

Parameters

Name	Type	Required	Description
digest	`string`	An expression that was generated by tdigest() or tdigest_merge().
value	scalar	An expression representing a value to be used for ranking calculation.

Returns

The rank foreach value in a dataset.

Examples

In a sorted list (1-1000), the rank of 685 is its index:

range x from 1 to 1000 step 1
| summarize t_x=tdigest(x)
| project rank_of_685=rank_tdigest(t_x, 685)

Output

`rank_of_685`
`685`

This query calculates the rank of value 4490$ over all damage properties costs:

StormEvents
| summarize tdigestRes = tdigest(DamageProperty)
| project rank_of_4490=rank_tdigest(tdigestRes, 4490)

Output

`rank_of_4490`
`50207`

Getting the estimated percentage of the rank (by dividing by the set size):

StormEvents
| summarize tdigestRes = tdigest(DamageProperty), count()
| project rank_tdigest(tdigestRes, 4490) * 100.0 / count_

Output

`Column1`
`85.0015237192293`

The percentile 85 of the damage properties costs is 4490$:

StormEvents
| summarize tdigestRes = tdigest(DamageProperty)
| project percentile_tdigest(tdigestRes, 85, typeof(long))

Output

`percentile_tdigest_tdigestRes`
`4490`

190 - regex_quote()

Learn how to use the regex_quote() function to return a string that escapes all regular expression characters.

Returns a string that escapes all regular expression characters.

Syntax

regex_quote(string)

Parameters

Name	Type	Required	Description
string	`string`	✔️	The string to escape.

Returns

Returns string where all regex expression characters are escaped.

Example

print result = regex_quote('(so$me.Te^xt)')

Output

result
`$so\$me\.Te\^xt$`

191 - repeat()

Learn how to use the repeat() function to generate a dynamic array containing a series comprised of repeated numbers.

Generates a dynamic array containing a series comprised of repeated numbers.

Syntax

repeat(value, count)

Parameters

Name	Type	Required	Description
value	`bool`, `int`, `long`, `real`, `datetime`, `string` or `timespan`	✔️	The value of the element in the resulting array.
count	`int`	✔️	The count of the elements in the resulting array.

Returns

If count is equal to zero, an empty array is returned. If count is less than zero, a null value is returned.

Examples

The following example returns [1, 1, 1]:

T | extend r = repeat(1, 3)

192 - replace_regex()

Learn how to use the replace_regex() function to replace all regex matches with another string.

Replaces all regular expression matches with a specified pattern.

Syntax

replace_regex(source,lookup_regex, rewrite_pattern)

Parameters

Name	Type	Required	Description
source	`string`	✔️	The text to search and replace.
lookup_regex	`string`	✔️	The regular expression to search for in text. The expression can contain capture groups in parentheses. To match over multiple lines, use the `m` or `s` flags. For more information on flags, see Grouping and flags.
rewrite_pattern	`string`	✔️	The replacement regex for any match made by matchingRegex. Use `\0` to refer to the whole match, `\1` for the first capture group, `\2` and so on for subsequent capture groups.

Returns

Returns the source after replacing all matches of lookup_regex with evaluations of rewrite_pattern. Matches do not overlap.

Example

range x from 1 to 5 step 1
| extend str=strcat('Number is ', tostring(x))
| extend replaced=replace_regex(str, @'is (\d+)', @'was: \1')

Output

x	str	replaced
1	Number is 1.000000	Number was: 1.000000
2	Number is 2.000000	Number was: 2.000000
3	Number is 3.000000	Number was: 3.000000
4	Number is 4.000000	Number was: 4.000000
5	Number is 5.000000	Number was: 5.000000

To replace a single string, see replace_string().
To replace multiple strings, see replace_strings().
To replace a set of characters, see translate().

193 - replace_string()

Learn how to use the replace_string() function to replace all string matches with another string.

Replaces all string matches with a specified string.

To replace multiple strings, see replace_strings().

Syntax

replace_string(text, lookup, rewrite)

Parameters

Name	Type	Required	Description
text	`string`	✔️	The source string.
lookup	`string`	✔️	The string to be replaced.
rewrite	`string`	✔️	The replacement string.

Returns

Returns the text after replacing all matches of lookup with evaluations of rewrite. Matches don’t overlap.

Examples

Replace words in a string

The following example uses replace_string() to replace the word “cat” with the word “hamster” in the Message string.

print Message="A magic trick can turn a cat into a dog"
| extend Outcome = replace_string(
        Message, "cat", "hamster")  // Lookup strings

Output

Message	Outcome
A magic trick can turn a cat into a dog	A magic trick can turn a hamster into a dog

Generate and modify a sequence of numbers

The following example creates a table with column x containing numbers from one to five, incremented by one. It adds the column str that concatenates “Number is " with the string representation of the x column values using the strcat() function. It then adds the replaced column where “was” replaces the word “is” in the strings from the str column.

range x from 1 to 5 step 1
| extend str=strcat('Number is ', tostring(x))
| extend replaced=replace_string(str, 'is', 'was')

Output

x	str	replaced
1	Number is 1.000000	Number was 1.000000
2	Number is 2.000000	Number was 2.000000
3	Number is 3.000000	Number was 3.000000
4	Number is 4.000000	Number was 4.000000
5	Number is 5.000000	Number was 5.000000

To replace multiple strings, see replace_strings().
To replace strings based on regular expression, see replace_regex().
To replace a set of characters, see translate().

194 - replace_strings()

Learn how to use the replace_strings() function to replace multiple strings matches with multiple replacement strings.

Replaces all strings matches with specified strings.

To replace an individual string, see replace_string().

Syntax

replace_strings(text, lookups, rewrites)

Parameters

Name	Type	Required	Description
text	`string`	✔️	The source string.
lookups	`dynamic`	✔️	The array that includes lookup strings. Array element that isn’t a string is ignored.
rewrites	`dynamic`	✔️	The array that includes rewrites. Array element that isn’t a string is ignored (no replacement made).

Returns

Returns text after replacing all matches of lookups with evaluations of rewrites. Matches don’t overlap.

Examples

Simple replacement

print Message="A magic trick can turn a cat into a dog"
| extend Outcome = replace_strings(
        Message,
        dynamic(['cat', 'dog']), // Lookup strings
        dynamic(['dog', 'pigeon']) // Replacements
        )

Message	Outcome
A magic trick can turn a cat into a dog	A magic trick can turn a dog into a pigeon

Replacement with an empty string

Replacement with an empty string removes the matching string.

print Message="A magic trick can turn a cat into a dog"
| extend Outcome = replace_strings(
        Message,
        dynamic(['turn', ' into a dog']), // Lookup strings
        dynamic(['disappear', '']) // Replacements
        )

Message	Outcome
A magic trick can turn a cat into a dog	A magic trick can disappear a cat

Replacement order

The order of match elements matters: the earlier match takes the precedence. Note the difference between Outcome1 and Outcome2: This vs Thwas.

 print Message="This is an example of using replace_strings()"
| extend Outcome1 = replace_strings(
        Message,
        dynamic(['This', 'is']), // Lookup strings
        dynamic(['This', 'was']) // Replacements
        ),
        Outcome2 = replace_strings(
        Message,
        dynamic(['is', 'This']), // Lookup strings
        dynamic(['was', 'This']) // Replacements
        )

Message	Outcome1	Outcome2
This is an example of using replace_strings()	This was an example of using replace_strings()	Thwas was an example of using replace_strings()

Nonstring replacement

Replace elements that aren’t strings aren’t replaced and the original string is kept. The match is still considered being valid, and other possible replacements aren’t performed on the matched string. In the following example, ‘This’ isn’t replaced with the numeric 12345, and it remains in the output unaffected by possible match with ‘is’.

 print Message="This is an example of using replace_strings()"
| extend Outcome = replace_strings(
        Message,
        dynamic(['This', 'is']), // Lookup strings
        dynamic([12345, 'was']) // Replacements
        )

Message	Outcome
This is an example of using replace_strings()	This was an example of using replace_strings()

For a replacement of a single string, see replace_string().
For a replacement based on regular expression, see replace_regex().
For replacing a set of characters, see translate().

195 - reverse()

Learn how to use the reverse() function to reverse the order of the input string.

Function reverses the order of the input string. If the input value isn’t of type string, then the function forcibly casts the value to type string.

Syntax

reverse(value)

Parameters

Name	Type	Required	Description
value	`string`	✔️	input value.

Returns

The reverse order of a string value.

Examples

print str = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
| extend rstr = reverse(str)

Output

str	rstr
ABCDEFGHIJKLMNOPQRSTUVWXYZ	ZYXWVUTSRQPONMLKJIHGFEDCBA

print ['int'] = 12345, ['double'] = 123.45, 
['datetime'] = datetime(2017-10-15 12:00), ['timespan'] = 3h
| project rint = reverse(['int']), rdouble = reverse(['double']), 
rdatetime = reverse(['datetime']), rtimespan = reverse(['timespan'])

Output

rint	rdouble	rdatetime	rtimespan
54321	54.321	Z0000000.00:00:21T51-01-7102	00:00:30

196 - round()

Learn how to use the round() function to round the number to the specified precision.

Returns the rounded number to the specified precision.

Syntax

round(number [, precision])

Parameters

Name	Type	Required	Description
number	long or real	✔️	The number to calculate the round on.
precision	`int`		The number of digits to round to. The default is 0.

Returns

The rounded number to the specified precision.

Round is different from the bin() function in that the round() function rounds a number to a specific number of digits while the bin() function rounds the value to an integer multiple of a given bin size. For example, round(2.15, 1) returns 2.2 while bin(2.15, 1) returns 2.

Examples

round(2.98765, 3)   // 2.988
round(2.15, 1)      // 2.2
round(2.15)         // 2 // equivalent to round(2.15, 0)
round(-50.55, -2)   // -100
round(21.5, -1)     // 20

197 - Scalar Functions

Learn how to use scalar functions to perform calculations that return a single value.

This article lists all available scalar functions grouped by type. For aggregation functions, see Aggregation function types.

Binary functions

Function Name	Description
binary_and()	Returns a result of the bitwise and operation between two values.
binary_not()	Returns a bitwise negation of the input value.
binary_or()	Returns a result of the bitwise or operation of the two values.
binary_shift_left()	Returns binary shift left operation on a pair of numbers: a « n.
binary_shift_right()	Returns binary shift right operation on a pair of numbers: a » n.
binary_xor()	Returns a result of the bitwise xor operation of the two values.
bitset_count_ones()	Returns the number of set bits in the binary representation of a number.

Conversion functions

Function Name	Description
tobool()	Convert inputs to boolean (signed 8-bit) representation.
todatetime()	Converts input to datetime scalar.
todouble()	Converts the input to a value of type real.
tostring()	Converts input to a string representation.
totimespan()	Converts input to timespan scalar.

DateTime/timespan functions

Function Name	Description
ago()	Subtracts the given timespan from the current UTC clock time.
datetime_add()	Calculates a new datetime from a specified datepart multiplied by a specified amount, added to a specified datetime.
datetime_diff()	Returns the end of the year containing the date, shifted by an offset, if provided.
datetime_local_to_utc()	Converts local datetime to UTC datetime using a time-zone specification.
datetime_part()	Extracts the requested date part as an integer value.
datetime_utc_to_local()	Converts UTC datetimgoe to local datetime using a time-zone specification.
dayofmonth()	Returns the integer number representing the day number of the given month.
dayofweek()	Returns the integer number of days since the preceding Sunday, as a timespan.
dayofyear()	Returns the integer number represents the day number of the given year.
endofday()	Returns the end of the day containing the date, shifted by an offset, if provided.
endofmonth()	Returns the end of the month containing the date, shifted by an offset, if provided.
endofweek()	Returns the end of the week containing the date, shifted by an offset, if provided.
endofyear()	Returns the end of the year containing the date, shifted by an offset, if provided.
format_datetime()	Formats a datetime parameter based on the format pattern parameter.
format_timespan()	Formats a format-timespan parameter based on the format pattern parameter.
getyear()	Returns the year part of the datetime argument.
hourofday()	Returns the integer number representing the hour number of the given date.
make_datetime()	Creates a datetime scalar value from the specified date and time.
make_timespan()	Creates a timespan scalar value from the specified time period.
monthofyear()	Returns the integer number that represents the month number of the given year.
now()	Returns the current UTC clock time, optionally offset by a given timespan.
startofday()	Returns the start of the day containing the date, shifted by an offset, if provided.
startofmonth()	Returns the start of the month containing the date, shifted by an offset, if provided.
startofweek()	Returns the start of the week containing the date, shifted by an offset, if provided.
startofyear()	Returns the start of the year containing the date, shifted by an offset, if provided.
todatetime()	Converts input to datetime scalar.
totimespan()	Converts input to timespan scalar.
unixtime_microseconds_todatetime()	Converts unix-epoch microseconds to UTC datetime.
unixtime_milliseconds_todatetime()	Converts unix-epoch milliseconds to UTC datetime.
unixtime_nanoseconds_todatetime()	Converts unix-epoch nanoseconds to UTC datetime.
unixtime_seconds_todatetime()	Converts unix-epoch seconds to UTC datetime.
weekofyear()	Returns an integer representing the week number.

Dynamic/array functions

Function Name	Description
array_concat()	Concatenates a number of dynamic arrays to a single array.
array_iff()	Applies element-wise iif function on arrays.
array_index_of()	Searches the array for the specified item, and returns its position.
array_length()	Calculates the number of elements in a dynamic array.
array_reverse()	Reverses the order of the elements in a dynamic array.
array_rotate_left()	Rotates values inside a dynamic array to the left.
array_rotate_right()	Rotates values inside a dynamic array to the right.
array_shift_left()	Shifts values inside a dynamic array to the left.
array_shift_right()	Shifts values inside a dynamic array to the right.
array_slice()	Extracts a slice of a dynamic array.
array_sort_asc()	Sorts a collection of arrays in ascending order.
array_sort_desc()	Sorts a collection of arrays in descending order.
array_split()	Builds an array of arrays split from the input array.
array_sum()	Calculates the sum of a dynamic array.
`bag_has_key()`	Checks whether a dynamic bag column contains a given key.
bag_keys()	Enumerates all the root keys in a dynamic property-bag object.
bag_merge()	Merges dynamic property-bags into a dynamic property-bag with all properties merged.
bag_pack()	Creates a dynamic object (property bag) from a list of names and values.
bag_pack_columns()	Creates a dynamic object (property bag) from a list of columns.
bag_remove_keys()	Removes keys and associated values from a dynamic property-bag.
bag_set_key()	Sets a given key to a given value in a dynamic property-bag.
jaccard_index()	Computes the Jaccard index of two sets.
pack_all()	Creates a dynamic object (property bag) from all the columns of the tabular expression.
pack_array()	Packs all input values into a dynamic array.
repeat()	Generates a dynamic array holding a series of equal values.
set_difference()	Returns an array of the set of all distinct values that are in the first array but aren’t in other arrays.
set_has_element()	Determines whether the specified array contains the specified element.
set_intersect()	Returns an array of the set of all distinct values that are in all arrays.
set_union()	Returns an array of the set of all distinct values that are in any of provided arrays.
treepath()	Enumerates all the path expressions that identify leaves in a dynamic object.
zip()	The zip function accepts any number of dynamic arrays. Returns an array whose elements are each an array with the elements of the input arrays of the same index.

Window scalar functions

Function Name	Description
next()	For the serialized row set, returns a value of a specified column from the later row according to the offset.
prev()	For the serialized row set, returns a value of a specified column from the earlier row according to the offset.
row_cumsum()	Calculates the cumulative sum of a column.
row_number()	Returns a row’s number in the serialized row set - consecutive numbers starting from a given index or from 1 by default.
row_rank_dense()	Returns a row’s dense rank in the serialized row set.
row_rank_min()	Returns a row’s minimal rank in the serialized row set.

Flow control functions

Function Name	Description
toscalar()	Returns a scalar constant value of the evaluated expression.

Mathematical functions

Function Name	Description
abs()	Calculates the absolute value of the input.
acos()	Returns the angle whose cosine is the specified number (the inverse operation of cos()).
asin()	Returns the angle whose sine is the specified number (the inverse operation of sin()).
atan()	Returns the angle whose tangent is the specified number (the inverse operation of tan()).
atan2()	Calculates the angle, in radians, between the positive x-axis and the ray from the origin to the point (y, x).
beta_cdf()	Returns the standard cumulative beta distribution function.
beta_inv()	Returns the inverse of the beta cumulative probability beta density function.
beta_pdf()	Returns the probability density beta function.
cos()	Returns the cosine function.
cot()	Calculates the trigonometric cotangent of the specified angle, in radians.
degrees()	Converts angle value in radians into value in degrees, using formula degrees = (180 / PI) * angle-in-radians.
erf()	Returns the error function.
erfc()	Returns the complementary error function.
exp()	The base-e exponential function of x, which is e raised to the power x: e^x.
exp10()	The base-10 exponential function of x, which is 10 raised to the power x: 10^x.
exp2()	The base-2 exponential function of x, which is 2 raised to the power x: 2^x.
gamma()	Computes gamma function.
isfinite()	Returns whether input is a finite value (isn’t infinite or NaN).
isinf()	Returns whether input is an infinite (positive or negative) value.
isnan()	Returns whether input is Not-a-Number (NaN) value.
log()	Returns the natural logarithm function.
log10()	Returns the common (base-10) logarithm function.
log2()	Returns the base-2 logarithm function.
loggamma()	Computes log of absolute value of the gamma function.
not()	Reverses the value of its bool argument.
pi()	Returns the constant value of Pi (π).
pow()	Returns a result of raising to power.
radians()	Converts angle value in degrees into value in radians, using formula radians = (PI / 180) * angle-in-degrees.
rand()	Returns a random number.
range()	Generates a dynamic array holding a series of equally spaced values.
round()	Returns the rounded source to the specified precision.
sign()	Sign of a numeric expression.
sin()	Returns the sine function.
sqrt()	Returns the square root function.
tan()	Returns the tangent function.
welch_test()	Computes the p-value of the Welch-test function.

Metadata functions

Function Name	Description
column_ifexists()	Takes a column name as a string and a default value. Returns a reference to the column if it exists, otherwise - returns the default value.
current_cluster_endpoint()	Returns the current cluster running the query.
current_database()	Returns the name of the database in scope.
current_principal()	Returns the current principal running this query.
current_principal_details()	Returns details of the principal running the query.
current_principal_is_member_of()	Checks group membership or principal identity of the current principal running the query.
cursor_after()	Used to access to the records that were ingested after the previous value of the cursor.
estimate_data_size()	Returns an estimated data size of the selected columns of the tabular expression.
extent_id()	Returns a unique identifier that identifies the data shard (“extent”) that the current record resides in.
extent_tags()	Returns a dynamic array with the tags of the data shard (“extent”) that the current record resides in.
ingestion_time()	Retrieves the record’s $IngestionTime hidden datetime column, or null.

Rounding functions

Function Name	Description
bin()	Rounds values down to an integer multiple of a given bin size.
bin_at()	Rounds values down to a fixed-size “bin”, with control over the bin’s starting point. (See also bin function.)
ceiling()	Calculates the smallest integer greater than, or equal to, the specified numeric expression.

Conditional functions

Function Name	Description
case()	Evaluates a list of predicates and returns the first result expression whose predicate is satisfied.
coalesce()	Evaluates a list of expressions and returns the first non-null (or non-empty for string) expression.
iff()	Evaluate the first argument (the predicate), and returns the value of either the second or third arguments, depending on whether the predicate evaluated to true (second) or false (third).
max_of()	Returns the maximum value of several evaluated numeric expressions.
min_of()	Returns the minimum value of several evaluated numeric expressions.

Series element-wise functions

Function Name	Description
series_abs()	Calculates the element-wise absolute value of the numeric series input.
series_acos()	Calculates the element-wise arccosine function of the numeric series input.
series_add()	Calculates the element-wise addition of two numeric series inputs.
series_asin()	Calculates the element-wise arcsine function of the numeric series input.
series_atan()	Calculates the element-wise arctangent function of the numeric series input.
series_ceiling()	Calculates the element-wise ceiling function of the numeric series input.
series_cos()	Calculates the element-wise cosine function of the numeric series input.
series_divide()	Calculates the element-wise division of two numeric series inputs.
series_equals()	Calculates the element-wise equals (`==`) logic operation of two numeric series inputs.
series_exp()	Calculates the element-wise base-e exponential function (e^x) of the numeric series input.
series_floor()	Calculates the element-wise floor function of the numeric series input.
series_greater()	Calculates the element-wise greater (`>`) logic operation of two numeric series inputs.
series_greater_equals()	Calculates the element-wise greater or equals (`>=`) logic operation of two numeric series inputs.
series_less()	Calculates the element-wise less (`<`) logic operation of two numeric series inputs.
series_less_equals()	Calculates the element-wise less or equal (`<=`) logic operation of two numeric series inputs.
series_log()	Calculates the element-wise natural logarithm function (base-e) of the numeric series input.
series_multiply()	Calculates the element-wise multiplication of two numeric series inputs.
series_not_equals()	Calculates the element-wise not equals (`!=`) logic operation of two numeric series inputs.
series_pow()	Calculates the element-wise power of two numeric series inputs.
series_sign()	Calculates the element-wise sign of the numeric series input.
series_sin()	Calculates the element-wise sine function of the numeric series input.
series_subtract()	Calculates the element-wise subtraction of two numeric series inputs.
series_tan()	Calculates the element-wise tangent function of the numeric series input.

Series processing functions

Function Name	Description
series_cosine_similarity()	Calculates the cosine similarity of two numeric series.
series_decompose()	Does a decomposition of the series into components.
series_decompose_anomalies()	Finds anomalies in a series based on series decomposition.
series_decompose_forecast()	Forecast based on series decomposition.
series_dot_product()	Calculates the dot product of two numeric series.
series_fill_backward()	Performs backward fill interpolation of missing values in a series.
series_fill_const()	Replaces missing values in a series with a specified constant value.
series_fill_forward()	Performs forward fill interpolation of missing values in a series.
series_fill_linear()	Performs linear interpolation of missing values in a series.
series_fft()	Applies the Fast Fourier Transform (FFT) on a series.
series_fir()	Applies a Finite Impulse Response filter on a series.
series_fit_2lines()	Applies two segments linear regression on a series, returning multiple columns.
series_fit_2lines_dynamic()	Applies two segments linear regression on a series, returning dynamic object.
series_fit_line()	Applies linear regression on a series, returning multiple columns.
series_fit_line_dynamic()	Applies linear regression on a series, returning dynamic object.
series_fit_poly()	Applies polynomial regression on a series, returning multiple columns.
series_ifft()	Applies the Inverse Fast Fourier Transform (IFFT) on a series.
series_iir()	Applies an Infinite Impulse Response filter on a series.
series_magnitude()	Calculates the magnitude of the numeric series.
series_outliers()	Scores anomaly points in a series.
series_pearson_correlation()	Calculates the Pearson correlation coefficient of two series.
series_periods_detect()	Finds the most significant periods that exist in a time series.
series_periods_validate()	Checks whether a time series contains periodic patterns of given lengths.
series_seasonal()	Finds the seasonal component of the series.
series_stats()	Returns statistics for a series in multiple columns.
series_stats_dynamic()	Returns statistics for a series in dynamic object.
series_sum()	Calculates the sum of numeric series elements.

String functions

Function Name	Description
base64_encode_tostring()	Encodes a string as base64 string.
base64_encode_fromguid()	Encodes a GUID as base64 string.
base64_decode_tostring()	Decodes a base64 string to a UTF-8 string.
base64_decode_toarray()	Decodes a base64 string to an array of long values.
base64_decode_toguid()	Decodes a base64 string to a GUID.
countof()	Counts occurrences of a substring in a string. Plain string matches may overlap; regex matches don’t.
extract()	Get a match for a regular expression from a text string.
extract_all()	Get all matches for a regular expression from a text string.
extract_json()	Get a specified element out of a JSON text using a path expression.
has_any_index()	Searches the string for items specified in the array and returns the position of the first item found in the string.
indexof()	Function reports the zero-based index of the first occurrence of a specified string within input string.
isempty()	Returns true if the argument is an empty string or is null.
isnotempty()	Returns true if the argument isn’t an empty string or a null.
isnotnull()	Returns true if the argument is not null.
isnull()	Evaluates its sole argument and returns a bool value indicating if the argument evaluates to a null value.
parse_command_line()	Parses a Unicode command line string and returns an array of the command line arguments.
parse_csv()	Splits a given string representing comma-separated values and returns a string array with these values.
parse_ipv4()	Converts input to long (signed 64-bit) number representation.
parse_ipv4_mask()	Converts input string and IP-prefix mask to long (signed 64-bit) number representation.
parse_ipv6()	Converts IPv6 or IPv4 string to a canonical IPv6 string representation.
parse_ipv6_mask()	Converts IPv6 or IPv4 string and netmask to a canonical IPv6 string representation.
parse_json()	Interprets a string as a JSON value and returns the value as dynamic.
parse_url()	Parses an absolute URL string and returns a dynamic object contains all parts of the URL.
parse_urlquery()	Parses a url query string and returns a dynamic object contains the Query parameters.
parse_version()	Converts input string representation of version to a comparable decimal number.
replace_regex()	Replace all regex matches with another string.
replace_string()	Replace all single string matches with a specified string.
replace_strings()	Replace all multiple strings matches with specified strings.
punycode_from_string()	Encodes domain name to Punycode form.
punycode_to_string()	Decodes domain name from Punycode form.
reverse()	Function makes reverse of input string.
split()	Splits a given string according to a given delimiter and returns a string array with the contained substrings.
strcat()	Concatenates between 1 and 64 arguments.
strcat_delim()	Concatenates between 2 and 64 arguments, with delimiter, provided as first argument.
strcmp()	Compares two strings.
strlen()	Returns the length, in characters, of the input string.
strrep()	Repeats given string provided number of times (default - 1).
substring()	Extracts a substring from a source string starting from some index to the end of the string.
toupper()	Converts a string to upper case.
translate()	Replaces a set of characters (‘searchList’) with another set of characters (‘replacementList’) in a given a string.
trim()	Removes all leading and trailing matches of the specified regular expression.
trim_end()	Removes trailing match of the specified regular expression.
trim_start()	Removes leading match of the specified regular expression.
url_decode()	The function converts encoded URL into a regular URL representation.
url_encode()	The function converts characters of the input URL into a format that can be transmitted over the Internet.

IPv4/IPv6 functions

Function Name	Description
ipv4_compare()	Compares two IPv4 strings.
ipv4_is_in_range()	Checks if IPv4 string address is in IPv4-prefix notation range.
ipv4_is_in_any_range()	Checks if IPv4 string address is any of the IPv4-prefix notation ranges.
ipv4_is_match()	Matches two IPv4 strings.
ipv4_is_private()	Checks if IPv4 string address belongs to a set of private network IPs.
ipv4_netmask_suffix	Returns the value of the IPv4 netmask suffix from IPv4 string address.
parse_ipv4()	Converts input string to long (signed 64-bit) number representation.
parse_ipv4_mask()	Converts input string and IP-prefix mask to long (signed 64-bit) number representation.
ipv4_range_to_cidr_list()	Converts IPv4 address range to a list of CIDR ranges.
ipv6_compare()	Compares two IPv4 or IPv6 strings.
ipv6_is_match()	Matches two IPv4 or IPv6 strings.
parse_ipv6()	Converts IPv6 or IPv4 string to a canonical IPv6 string representation.
parse_ipv6_mask()	Converts IPv6 or IPv4 string and netmask to a canonical IPv6 string representation.
format_ipv4()	Parses input with a netmask and returns string representing IPv4 address.
format_ipv4_mask()	Parses input with a netmask and returns string representing IPv4 address as CIDR notation.
ipv6_is_in_range()	Checks if an IPv6 string address is in IPv6-prefix notation range.
ipv6_is_in_any_range()	Checks if an IPv6 string address is in any of the IPv6-prefix notation ranges.
geo_info_from_ip_address()	Retrieves geolocation information about IPv4 or IPv6 addresses.

IPv4 text match functions

Function Name	Description
has_ipv4()	Searches for an IPv4 address in a text.
has_ipv4_prefix()	Searches for an IPv4 address or prefix in a text.
has_any_ipv4()	Searches for any of the specified IPv4 addresses in a text.
has_any_ipv4_prefix()	Searches for any of the specified IPv4 addresses or prefixes in a text.

Type functions

Function Name	Description
gettype()	Returns the runtime type of its single argument.

Scalar aggregation functions

Function Name	Description
dcount_hll()	Calculates the dcount from hll results (which was generated by hll or hll-merge).
hll_merge()	Merges hll results (scalar version of the aggregate version hll-merge()).
percentile_tdigest()	Calculates the percentile result from tdigest results (which was generated by tdigest or merge_tdigest).
percentile_array_tdigest()	Calculates the percentile array result from tdigest results (which was generated by tdigest or merge_tdigest).
percentrank_tdigest()	Calculates the percentage ranking of a value in a dataset.
rank_tdigest()	Calculates relative rank of a value in a set.
merge_tdigest()	Merge tdigest results (scalar version of the aggregate version tdigest-merge()).

Geospatial functions

Function Name	Description
geo_angle()	Calculates clockwise angle in radians between two lines on Earth.
geo_azimuth()	Calculates clockwise angle in radians between the line from point1 to true north and a line from point1 to point2 on Earth.
geo_distance_2points()	Calculates the shortest distance between two geospatial coordinates on Earth.
geo_distance_point_to_line()	Calculates the shortest distance between a coordinate and a line or multiline on Earth.
geo_distance_point_to_polygon()	Calculates the shortest distance between a coordinate and a polygon or multipolygon on Earth.
geo_intersects_2lines()	Calculates whether the two lines or multilines intersects.
geo_intersects_2polygons()	Calculates whether the two polygons or multipolygons intersects.
geo_intersects_line_with_polygon()	Calculates whether the line or multiline intersects with polygon or multipolygon.
geo_intersection_2lines()	Calculates the intersection of two lines or multilines.
geo_intersection_2polygons()	Calculates the intersection of two polygons or multipolygons.
geo_intersection_line_with_polygon()	Calculates the intersection of line or multiline with polygon or multipolygon.
geo_point_buffer()	Calculates polygon that contains all points within the given radius of the point on Earth.
geo_point_in_circle()	Calculates whether the geospatial coordinates are inside a circle on Earth.
geo_point_in_polygon()	Calculates whether the geospatial coordinates are inside a polygon or a multipolygon on Earth.
geo_point_to_geohash()	Calculates the Geohash string value for a geographic location.
geo_point_to_s2cell()	Calculates the S2 Cell token string value for a geographic location.
geo_point_to_h3cell()	Calculates the H3 Cell token string value for a geographic location.
geo_line_buffer()	Calculates polygon or multipolygon that contains all points within the given radius of the input line or multiline on Earth.
geo_line_centroid()	Calculates the centroid of line or a multiline on Earth.
geo_line_densify()	Converts planar line edges to geodesics by adding intermediate points.
geo_line_length()	Calculates the total length of line or a multiline on Earth.
geo_line_simplify()	Simplifies line or a multiline by replacing nearly straight chains of short edges with a single long edge on Earth.
geo_line_to_s2cells()	Calculates S2 cell tokens that cover a line or multiline on Earth. Useful geospatial join tool.
geo_polygon_area()	Calculates the area of polygon or a multipolygon on Earth.
geo_polygon_buffer()	Calculates polygon or multipolygon that contains all points within the given radius of the input polygon or multipolygon on Earth.
geo_polygon_centroid()	Calculates the centroid of polygon or a multipolygon on Earth.
geo_polygon_densify()	Converts polygon or multipolygon planar edges to geodesics by adding intermediate points.
geo_polygon_perimeter()	Calculates the length of the boundary of polygon or a multipolygon on Earth.
geo_polygon_simplify()	Simplifies polygon or a multipolygon by replacing nearly straight chains of short edges with a single long edge on Earth.
geo_polygon_to_s2cells()	Calculates S2 Cell tokens that cover a polygon or multipolygon on Earth. Useful geospatial join tool.
geo_polygon_to_h3cells()	Converts polygon to H3 cells. Useful geospatial join and visualization tool.
geo_geohash_to_central_point()	Calculates the geospatial coordinates that represent the center of a Geohash rectangular area.
geo_geohash_neighbors()	Calculates the geohash neighbors.
geo_geohash_to_polygon()	Calculates the polygon that represents the geohash rectangular area.
geo_s2cell_to_central_point()	Calculates the geospatial coordinates that represent the center of an S2 Cell.
geo_s2cell_neighbors()	Calculates the S2 cell neighbors.
geo_s2cell_to_polygon()	Calculates the polygon that represents the S2 Cell rectangular area.
geo_h3cell_to_central_point()	Calculates the geospatial coordinates that represent the center of an H3 Cell.
geo_h3cell_neighbors()	Calculates the H3 cell neighbors.
geo_h3cell_to_polygon()	Calculates the polygon that represents the H3 Cell rectangular area.
geo_h3cell_parent()	Calculates the H3 cell parent.
geo_h3cell_children()	Calculates the H3 cell children.
geo_h3cell_level()	Calculates the H3 cell resolution.
geo_h3cell_rings()	Calculates the H3 cell Rings.
geo_simplify_polygons_array()	Simplifies polygons by replacing nearly straight chains of short edges with a single long edge, while ensuring mutual boundaries consistency related to each other, on Earth.
geo_union_lines_array()	Calculates the union of lines or multilines on Earth.
geo_union_polygons_array()	Calculates the union of polygons or multipolygons on Earth.

Hash functions

Function Name	Description
hash()	Returns a hash value for the input value.
hash_combine()	Combines two or more hash values.
hash_many()	Returns a combined hash value of multiple values.
hash_md5()	Returns an MD5 hash value for the input value.
hash_sha1()	Returns a SHA1 hash value for the input value.
hash_sha256()	Returns a SHA256 hash value for the input value.
hash_xxhash64()	Returns an XXHASH64 hash value for the input value.

Units conversion functions

Function Name	Description
convert_angle()	Returns the input value converted from one angle unit to another
convert_energy()	Returns the input value converted from one energy unit to another
convert_force()	Returns the input value converted from one force unit to another
convert_length()	Returns the input value converted from one length unit to another
convert_mass()	Returns the input value converted from one mass unit to another
convert_speed()	Returns the input value converted from one speed unit to another
convert_temperature()	Returns the input value converted from one temperature unit to another
convert_volume()	Returns the input value converted from one volume unit to another

| convert_volume() | Returns the input value converted from one volume unit to another |

198 - set_difference()

Learn how to use the set_difference() function to create a difference set of all distinct values in the first array that aren’t in the other array inputs.

Returns a dynamic (JSON) array of the set of all distinct values that are in the first array but aren’t in other arrays - (((arr1 \ arr2) \ arr3) \ …).

Syntax

set_difference(set1, set2 [,set3, …])

Parameters

Name	Type	Required	Description
set1…setN	`dynamic`	✔️	Arrays used to create a difference set. A minimum of 2 arrays are required. See pack_array.

Returns

Returns a dynamic array of the set of all distinct values that are in set1 but aren’t in other arrays.

Example

range x from 1 to 3 step 1
| extend y = x * 2
| extend z = y * 2
| extend w = z * 2
| extend a1 = pack_array(x,y,x,z), a2 = pack_array(x, y), a3 = pack_array(x,y,w)
| project set_difference(a1, a2, a3)

Output

Column1
[4]
[8]
[12]

print arr = set_difference(dynamic([1,2,3]), dynamic([1,2,3]))

Output

arr
[]

199 - set_has_element()

Learn how to use the set_has_element() function to determine if the input set contains the specified value.

Determines whether the specified set contains the specified element.

Syntax

set_has_element(set, value)

Parameters

Name	Type	Required	Description
set	`dynamic`	✔️	The input array to search.
value		✔️	The value for which to search. The value should be of type `long`, `int`, `double`, `datetime`, `timespan`, `decimal`, `string`, `guid`, or `bool`.

Returns

true or false depending on if the value exists in the array.

Example

print arr=dynamic(["this", "is", "an", "example"]) 
| project Result=set_has_element(arr, "example")

Output

Result
true

Use array_index_of(arr, value) to find the position at which the value exists in the array. Both functions are equally performant.

200 - set_intersect()

Learn how to use the set_intersect() function to create a set of the distinct values that are in all the array inputs.

Returns a dynamic array of the set of all distinct values that are in all arrays - (arr1 ∩ arr2 ∩ …).

Syntax

set_intersect(set1, set2 [, set3, …])

Parameters

Name	Type	Required	Description
set1…setN	`dynamic`	✔️	Arrays used to create an intersect set. A minimum of 2 arrays are required. See pack_array.

Returns

Returns a dynamic array of the set of all distinct values that are in all arrays.

Example

range x from 1 to 3 step 1
| extend y = x * 2
| extend z = y * 2
| extend w = z * 2
| extend a1 = pack_array(x,y,x,z), a2 = pack_array(x, y), a3 = pack_array(w,x)
| project set_intersect(a1, a2, a3)

Output

Column1
[1]
[2]
[3]

print arr = set_intersect(dynamic([1, 2, 3]), dynamic([4,5]))

Output

arr
[]

201 - set_union()

Learn how to use the set_union() function to create a union set of all the distinct values in all of the array inputs.

Returns a dynamic array of the set of all distinct values that are in any of the arrays - (arr1 ∪ arr2 ∪ …).

Syntax

set_union(set1, set2 [, set3, …])

Parameters

Name	Type	Required	Description
set1…setN	`dynamic`	✔️	Arrays used to create a union set. A minimum of two arrays are required. See pack_array.

Returns

Returns a dynamic array of the set of all distinct values that are in any of arrays.

Example

Set from multiple dynamic array

range x from 1 to 3 step 1
| extend y = x * 2
| extend z = y * 2
| extend w = z * 2
| extend a1 = pack_array(x,y,x,z), a2 = pack_array(x, y), a3 = pack_array(w)
| project a1,a2,a3,Out=set_union(a1, a2, a3)

Output

a1	a2	a3	`Out`
[1,2,1,4]	[1,2]	[8]	[1,2,4,8]
[2,4,2,8]	[2,4]	[16]	[2,4,8,16]
[3,6,3,12]	[3,6]	[24]	[3,6,12,24]

Set from one dynamic array

datatable (Arr1: dynamic)
[
    dynamic(['A4', 'A2', 'A7', 'A2']), 
    dynamic(['C4', 'C7', 'C1', 'C4'])
] 
| extend Out=set_union(Arr1, Arr1)

Output

Arr1	`Out`
[“A4”,“A2”,“A7”,“A2”]	[“A4”,“A2”,“A7”]
[“C4”,“C7”,“C1”,“C4”]	[“C4”,“C7”,“C1”]

202 - sign()

Learn how to use the sign() function to return the sign of the numeric expression.

Returns the sign of the numeric expression.

Syntax

sign(number)

Parameters

Name	Type	Required	Description
number	`real`	✔️	The number for which to return the sign.

Returns

The positive (+1), zero (0), or negative (-1) sign of the specified expression.

Examples

print s1 = sign(-42), s2 = sign(0), s3 = sign(11.2)

Output

s1	s2	s3
-1	0	1

203 - sin()

Learn how to use the sin() function to return the sine value of the input.

Returns the sine function value of the specified angle. The angle is specified in radians.

Syntax

sin(number)

Parameters

Name	Type	Required	Description
number	`real`	✔️	The value in radians for which to calculate the sine.

Returns

The sine of number of radians.

Example

print sin(1)

Output

result
0.841470984807897

204 - split()

Learn how to use the split() function to split the source string according to a given delimiter.

The split() function takes a string and splits it into substrings based on a specified delimiter, returning the substrings in an array. Optionally, you can retrieve a specific substring by specifying its index.

Syntax

split(source, delimiter [, requestedIndex])

Parameters

Name	Type	Required	Description
source	`string`	✔️	The source string that is split according to the given delimiter.
delimiter	`string`	✔️	The delimiter that will be used in order to split the source string.
requestedIndex	`int`		A zero-based index. If provided, the returned string array contains the requested substring at the index if it exists.

Returns

An array of substrings obtained by separating the source string by the specified delimiter, or a single substring at the specified requestedIndex.

Examples

print
    split("aa_bb", "_"),           // ["aa","bb"]
    split("aaa_bbb_ccc", "_", 1),  // ["bbb"]
    split("", "_"),                // [""]
    split("a__b", "_"),            // ["a","","b"]
    split("aabbcc", "bb")          // ["aa","cc"]

print_0	print_1	print_2	print_3	print4
[“aa”,“bb”]	[“bbb”]	[""]	[“a”,"",“b”]	[“aa”,“cc”]

205 - sqrt()

Learn how to use the sqrt() function to return the square root of the input,

Returns the square root of the input.

Syntax

sqrt(number)

Parameters

Name	Type	Required	Description
number	int, long, or real	✔️	The number for which to calculate the square root.

Returns

A positive number such that sqrt(x) * sqrt(x) == x
null if the argument is negative or can’t be converted to a real value.

206 - startofday()

Learn how to use the startofday() function to return the start of the day for the given date.

Returns the start of the day containing the date, shifted by an offset, if provided.

Syntax

startofday(date [, offset ])

Parameters

Name	Type	Required	Description
date	`datetime`	✔️	The date for which to find the start.
offset	`int`		The number of days to offset from the input date. The default is 0.

Returns

A datetime representing the start of the day for the given date value, with the offset, if specified.

Example

range offset from -1 to 1 step 1
| project dayStart = startofday(datetime(2017-01-01 10:10:17), offset)

Output

dayStart
2016-12-31 00:00:00.0000000
2017-01-01 00:00:00.0000000
2017-01-02 00:00:00.0000000

207 - startofmonth()

Learn how to use the startofmonth() function to return the start of the month for the given date.

Returns the start of the month containing the date, shifted by an offset, if provided.

Syntax

startofmonth(date [, offset ])

Parameters

Name	Type	Required	Description
date	`datetime`	✔️	The date for which to find the start of month.
offset	`int`		The number of months to offset from the input date. The default is 0.

Returns

A datetime representing the start of the month for the given date value, with the offset, if specified.

Example

range offset from -1 to 1 step 1
| project monthStart = startofmonth(datetime(2017-01-01 10:10:17), offset)

Output

monthStart
2016-12-01 00:00:00.0000000
2017-01-01 00:00:00.0000000
2017-02-01 00:00:00.0000000

208 - startofweek()

Learn how to use the startofweek() function to return the start of the week for the given date.

Returns the start of the week containing the date, shifted by an offset, if provided.

Start of the week is considered to be a Sunday.

Syntax

startofweek(date [, offset ])

Parameters

Name	Type	Required	Description
date	`datetime`	✔️	The date for which to find the start of week.
offset	`int`		The number of weeks to offset from the input date. The default is 0.

Returns

A datetime representing the start of the week for the given date value, with the offset, if specified.

Example

range offset from -1 to 1 step 1
| project weekStart = startofweek(datetime(2017-01-01 10:10:17), offset)

Output

weekStart
2016-12-25 00:00:00.0000000
2017-01-01 00:00:00.0000000
2017-01-08 00:00:00.0000000

209 - startofyear()

Learn how to use the startofyear() function to return the start of the year for the given date.

Returns the start of the year containing the date, shifted by an offset, if provided.

Syntax

startofyear(date [, offset ])

Parameters

Name	Type	Required	Description
date	`datetime`	✔️	The date for which to find the start of the year.
offset	`int`		The number of years to offset from the input date. The default is 0.

Returns

A datetime representing the start of the year for the given date value, with the offset, if specified.

Example

range offset from -1 to 1 step 1
| project yearStart = startofyear(datetime(2017-01-01 10:10:17), offset)

Output

yearStart
2016-01-01 00:00:00.0000000
2017-01-01 00:00:00.0000000
2018-01-01 00:00:00.0000000

210 - strcat_array()

Learn how to use the strcat_array() function to create a concatenated string of array values using a specified delimiter.

Creates a concatenated string of array values using a specified delimiter.

Syntax

strcat_array(array, delimiter)

Parameters

Name	Type	Required	Description
array	`dynamic`	✔️	An array of values to be concatenated.
delimeter	`string`	✔️	The value used to concatenate the values in array.

Returns

The input array values concatenated to a single string with the specified delimiter.

Examples

Custom delimeter

print str = strcat_array(dynamic([1, 2, 3]), "->")

Output

str
1->2->3

Using quotes as the delimeter

To use quotes as the delimeter, enclose the quotes in single quotes.

print str = strcat_array(dynamic([1, 2, 3]), '"')

Output

str
1"2"3

211 - strcat_delim()

Learn how to use the strcat_delim() function to concatenate between 2 and 64 arguments using a specified delimiter as the first argument.

Concatenates between 2 and 64 arguments, using a specified delimiter as the first argument.

Syntax

strcat_delim(delimiter, argument1, argument2[ , argumentN])

Parameters

Name	Type	Required	Description
delimiter	`string`	✔️	The string to be used as separator in the concatenation.
argument1 … argumentN	scalar	✔️	The expressions to concatenate.

Returns

The arguments concatenated to a single string with delimiter.

Example

print st = strcat_delim('-', 1, '2', 'A', 1s)

Output

st
1-2-A-00:00:01

212 - strcat()

Learn how to use the strcat() function to concatenate between 1 and 64 arguments.

Concatenates between 1 and 64 arguments.

Syntax

strcat(argument1, argument2 [, argument3 … ])

Parameters

Name	Type	Required	Description
argument1 … argumentN	scalar	✔️	The expressions to concatenate.

Returns

The arguments concatenated to a single string.

Examples

Concatenated string

The following example uses the strcat() function to concatenate the strings provided to form the string, “hello world.” The results are assigned to the variable str.

print str = strcat("hello", " ", "world")

Output

str
hello world

Concatenated multi-line string

The following example uses the strcat() function to create a concatenated multi-line string which is saved to the variable, MultiLineString. It uses the newline character to break the string into new lines.

print MultiLineString = strcat("Line 1\n", "Line 2\n", "Line 3")

Output

The results show the expanded row view with the multiline string.

MultiLineString
1. “MultiLineString”: Line 1 2. Line 2 3. Line 3

213 - strcmp()

Learn how to use the strcmp() function to compare two strings.

Compares two strings.

The function starts comparing the first character of each string. If they’re equal to each other, it continues with the following pairs until the characters differ or until the end of shorter string is reached.

Syntax

strcmp(string1, string2)

Parameters

Name	Type	Required	Description
string1	`string`	✔️	The first input string for comparison.
string2	`string`	✔️	The second input string for comparison.

Returns

Returns an integer value indicating the relationship between the strings:

<0 - the first character that doesn’t match has a lower value in string1 than in string2
0 - the contents of both strings are equal
>0 - the first character that doesn’t match has a greater value in string1 than in string2

Example

datatable(string1:string, string2:string) [
    "ABC","ABC",
    "abc","ABC",
    "ABC","abc",
    "abcde","abc"
]
| extend result = strcmp(string1,string2)

Output

string1	string2	result
ABC	ABC	0
abc	ABC	1
ABC	abc	-1
abcde	abc	1

214 - string_size()

Learn how to use the string_size() function to measure the size of the input string.

Returns the size, in bytes, of the input string.

Syntax

string_size(source)

Parameters

Name	Type	Required	Description
source	`string`	✔️	The string for which to return the byte size.

Returns

Returns the length, in bytes, of the input string.

Examples

String of letters

print size = string_size("hello")

Output

size
5

String of letters and symbols

print size = string_size("⒦⒰⒮⒯⒪")

Output

size
15

215 - strlen()

Learn how to use the strlen() function to measure the length of the input string.

Returns the length, in characters, of the input string.

Syntax

strlen(source)

Parameters

Name	Type	Required	Description
source	`string`	✔️	The string for which to return the length.

Returns

Returns the length, in characters, of the input string.

Examples

String of letters

print length = strlen("hello")

Output

length
5

String of letters and symbols

print length = strlen("⒦⒰⒮⒯⒪")

Output

length
5

String with grapheme

print strlen('Çedilla') // the first character is a grapheme cluster
                        // that requires 2 code points to represent

Output

length
8

216 - strrep()

Learn how to use the strrep() function to repeat the input value.

Replicates a string the number of times specified.

Syntax

strrep(value, multiplier, [ delimiter ])

Parameters

Name	Type	Required	Description
value	`string`	✔️	The string to replicate.
multiplier	`int`	✔️	The amount of times to replicate the string. Must be a value from 1 to 67108864.
delimiter	`string`		The delimeter used to separate the string replications. The default delimiter is an empty string.

Returns

The value string repeated the number of times as specified by multiplier, concatenated with delimiter.

If multiplier is more than the maximal allowed value of 1024, the input string will be repeated 1024 times.

Example

print from_str = strrep('ABC', 2), from_int = strrep(123,3,'.'), from_time = strrep(3s,2,' ')

Output

from_str	from_int	from_time
ABCABC	123.123.123	00:00:03 00:00:03

217 - substring()

Learn how to use the substring() function to extract a substring from the source string.

Extracts a substring from the source string starting from some index to the end of the string.

Optionally, the length of the requested substring can be specified.

Syntax

substring(source, startingIndex [, length])

Parameters

Name	Type	Required	Description
source	`string`	✔️	The string from which to take the substring.
startingIndex	`int`	✔️	The zero-based starting character position of the requested substring. If a negative number, the substring will be retrieved from the end of the source string.
length	`int`		The requested number of characters in the substring. The default behavior is to take from startingIndex to the end of the source string.

Returns

A substring from the given string. The substring starts at startingIndex (zero-based) character position and continues to the end of the string or length characters if specified.

Examples

substring("123456", 1)        // 23456
substring("123456", 2, 2)     // 34
substring("ABCD", 0, 2)       // AB
substring("123456", -2, 2)    // 56

218 - tan()

Learn how to use the tan() function to return the tangent value of the specified number.

Returns the tangent value of the specified number.

Syntax

tan(x)

Parameters

Name	Type	Required	Description
x	`real`	✔️	The number for which to calculate the tangent.

Returns

The result of tan(x)

219 - The has_any_index operator

Learn how to use the has_any_index operator to search the input string for items specified in the array.

Searches the string for items specified in the array and returns the position in the array of the first item found in the string.

Syntax

has_any_index (source, values)

Parameters

Name	Type	Required	Description
source	`string`	✔️	The value to search.
values	`dynamic`	✔️	An array of scalar or literal expressions to look up.

Returns

Zero-based index position of the first item in values that is found in source. Returns -1 if none of the array items were found in the string or if values is empty.

Example

print
 idx1 = has_any_index("this is an example", dynamic(['this', 'example']))  // first lookup found in input string
 , idx2 = has_any_index("this is an example", dynamic(['not', 'example'])) // last lookup found in input string
 , idx3 = has_any_index("this is an example", dynamic(['not', 'found'])) // no lookup found in input string
 , idx4 = has_any_index("Example number 2", range(1, 3, 1)) // Lookup array of integers
 , idx5 = has_any_index("this is an example", dynamic([]))  // Empty lookup array

Output

idx1	idx2	idx3	idx4	idx5
0	1	-1	1	-1

220 - tobool()

Learn how to use the tobool() function to convert an input to a boolean representation.

Convert inputs to boolean (signed 8-bit) representation.

Syntax

tobool(value)

Parameters

Name	Type	Required	Description
value	`string`	✔️	The value to convert to boolean.

Returns

If conversion is successful, result will be a boolean. If conversion isn’t successful, result will be null.

Example

tobool("true") == true
tobool("false") == false
tobool(1) == true
tobool(123) == true

221 - todatetime()

Learn how to use the todatetime() function to convert the input expression to a datetime value.

Converts the input to a datetime scalar value.

Syntax

todatetime(value)

Parameters

Name	Type	Required	Description
value	scalar	✔️	The value to convert to datetime.

Returns

If the conversion is successful, the result will be a datetime value. Else, the result will be null.

Example

The following example converts a date and time string into a datetime value.

print todatetime("2015-12-31 23:59:59.9")

The following example compares a converted date string to a datetime value.

print todatetime('12-02-2022') == datetime('12-02-2022')

Output

print_0
true

222 - todecimal()

Learn how to use the todecimal() function to convert the input expression to a decimal number representation.

Converts the input to a decimal number representation.

Syntax

todecimal(value)

Parameters

Name	Type	Required	Description
value	scalar	✔️	The value to convert to a decimal.

Returns

If conversion is successful, result will be a decimal number. If conversion isn’t successful, result will be null.

Example

print todecimal("123.45678") == decimal(123.45678)

Output

print_0
true

223 - toguid()

Learn how to use the toguid() function to convert the input string to a guid scalar.

Converts a string to a guid scalar.

Syntax

toguid(value)

Parameters

Name	Type	Required	Description
value	scalar	✔️	The value to convert to guid.

Returns

The conversion process takes the first 32 characters of the input, ignoring properly located hyphens, validates that the characters are between 0-9 or a-f, and then converts the string into a guid scalar. The rest of the string is ignored.

If the conversion is successful, the result will be a guid scalar. Otherwise, the result will be null.

Example

datatable(str: string)
[
    "0123456789abcdef0123456789abcdef",
    "0123456789ab-cdef-0123-456789abcdef",
    "a string that is not a guid"
]
| extend guid = toguid(str)

Output

str	guid
0123456789abcdef0123456789abcdef	01234567-89ab-cdef-0123-456789abcdef
0123456789ab-cdef-0123-456789abcdef	01234567-89ab-cdef-0123-456789abcdef
a string that isn’t a guid

224 - tohex()

Learn how to use the tohex() function to convert the input value to a hexadecimal string.

Converts input to a hexadecimal string.

Syntax

tohex(value, [, minLength ])

Parameters

Name	Type	Required	Description
value	int or long	✔️	The value that will be converted to a hex string.
minLength	`int`		The value representing the number of leading characters to include in the output. Values between 1 and 16 are supported. Values greater than 16 will be truncated to 16. If the string is longer than minLength without leading characters, then minLength is effectively ignored. Negative numbers may only be represented at minimum by their underlying data size, so for an integer (32-bit) the minLength will be at minimum 8, for a long (64-bit) it will be at minimum 16.

Returns

If conversion is successful, result will be a string value. If conversion isn’t successful, result will be null.

Example

print
    tohex(256) == '100',
    tohex(-256) == 'ffffffffffffff00', // 64-bit 2's complement of -256
    tohex(toint(-256), 8) == 'ffffff00', // 32-bit 2's complement of -256
    tohex(256, 8) == '00000100',
    tohex(256, 2) == '100' // Exceeds min length of 2, so min length is ignored.

Output

print_0	print_1	print_2	print_3	print_04
true	true	true	true	true

225 - toint()

Learn how to use the toint() function to convert the input value to an integer number representation.

Converts the input to an integer value (signed 32-bit) number representation.

Syntax

toint(value)

Parameters

Name	Type	Required	Description
value	scalar	✔️	The value to convert to an integer.

Returns

If the conversion is successful, the result is an integer. Otherwise, the result is null. If the input includes a decimal value, the result truncate to only the integer portion.

Example

Convert string to integer

The following example converts a string to an integer and checks if the converted value is equal to a specific integer.

print toint("123") == 123
|project Integer = print_0

Output

Integer
true

Truncated integer

The following example inputs a decimal value and returns a truncated integer.

print toint(2.3)
|project Integer = print_0

Output

Integer
2

226 - tolong()

Learn how to use the tolong() function to convert the input value to a long number representation.

Converts the input value to a long (signed 64-bit) number representation.

Syntax

tolong(value)

Parameters

Name	Type	Required	Description
value	scalar	✔️	The value to convert to a long.

Returns

If conversion is successful, the result is a long number. If conversion isn’t successful, the result is null.

Example

tolong("123") == 123

227 - tolower()

Learn how to use the tolower() function to convert the input string to lower case.

Converts the input string to lower case.

Syntax

tolower(value)

Parameters

Name	Type	Required	Description
value	`string`	✔️	The value to convert to a lowercase string.

Returns

If conversion is successful, result is a lowercase string. If conversion isn’t successful, result is null.

Example

tolower("Hello") == "hello"

228 - toreal()

Learn how to use the toreal() function to convert the input expression to a value of type real.

Converts the input expression to a value of type real.

Syntax

toreal(Expr)

Parameters

Name	Type	Required	Description
value	scalar	✔️	The value to convert to real.

Returns

If conversion is successful, the result is a value of type real. Otherwise, the returned value will be real(null).

Example

toreal("123.4") == 123.4

229 - tostring()

Learn how to use the tostring() function to convert the input value to a string representation.

Converts the input to a string representation.

Syntax

tostring(value)

Parameters

Name	Type	Required	Description
value	scalar	✔️	The value to convert to a string.

Returns

If value is non-null, the result is a string representation of value. If value is null, the result is an empty string.

Example

print tostring(123)

230 - totimespan()

Learn how to use the totimespan() function to convert the input to a timespan scalar value.

Converts the input to a timespan scalar value.

Syntax

totimespan(value)

Parameters

Name	Type	Required	Description
value	`string`	✔️	The value to convert to a timespan.

Returns

If conversion is successful, result will be a timespan value. Else, result will be null.

Example

totimespan("0.00:01:00") == time(1min)

231 - toupper()

Learn how to use the toupper() function to convert a string to upper case.

Converts a string to upper case.

Syntax

toupper(value)

Parameters

Name	Type	Required	Description
value	`string`	✔️	The value to convert to an uppercase string.

Returns

If conversion is successful, result is an uppercase string. If conversion isn’t successful, result is null.

Example

toupper("hello") == "HELLO"

232 - translate()

Learn how to use the translate() function to replace a set of characters with another set of characters in a given string.

Replaces a set of characters (‘searchList’) with another set of characters (‘replacementList’) in a given a string. The function searches for characters in the ‘searchList’ and replaces them with the corresponding characters in ‘replacementList’

Syntax

translate(searchList, replacementList, source)

Parameters

Name	Type	Required	Description
searchList	`string`	✔️	The list of characters that should be replaced.
replacementList	`string`	✔️	The list of characters that should replace the characters in searchList.
source	`string`	✔️	A string to search.

Returns

source after replacing all occurrences of characters in ‘replacementList’ with the corresponding characters in ‘searchList’

Examples

Input	Output
`translate("abc", "x", "abc")`	`"xxx"`
`translate("abc", "", "ab")`	`""`
`translate("krasp", "otsku", "spark")`	`"kusto"`

233 - treepath()

This article describes treepath().

Enumerates all the path expressions that identify leaves in a dynamic object.

Syntax

treepath(object)

Parameters

Name	Type	Required	Description
object	`dynamic`	✔️	A dynamic property bag object for which to enumerate the path expressions.

Returns

An array of path expressions.

Examples

Expression	Evaluates to
`treepath(parse_json('{"a":"b", "c":123}'))`	`["['a']","['c']"]`
`treepath(parse_json('{"prop1":[1,2,3,4], "prop2":"value2"}'))`	`["['prop1']","['prop1'][0]","['prop2']"]`
`treepath(parse_json('{"listProperty":[100,200,300,"abcde",{"x":"y"}]}'))`	`["['listProperty']","['listProperty'][0]","['listProperty'][0]['x']"]`

234 - trim_end()

Learn how to use the trim_end() function to remove the trailing match of the specified regular expression.

Removes trailing match of the specified regular expression.

Syntax

trim_end(regex, source)

Parameters

Name	Type	Required	Description
regex	`string`	✔️	The string or regular expression to be trimmed from the end of source.
source	`string`	✔️	The source string from which to trim regex.

Returns

source after trimming matches of regex found in the end of source.

Examples

The following statement trims substring from the end of string_to_trim.

let string_to_trim = @"bing.com";
let substring = ".com";
print string_to_trim = string_to_trim,trimmed_string = trim_end(substring,string_to_trim)

Output

string_to_trim	trimmed_string
bing.com	bing

Trim non-alphanumeric characters

The following example trims all non-word characters from the end of the string.

print str = strcat("-  ","Te st",x,@"// $")
| extend trimmed_str = trim_end(@"[^\w]+",str)

Output

str	trimmed_str
- Te st1// $	- Te st1
- Te st2// $	- Te st2
- Te st3// $	- Te st3
- Te st4// $	- Te st4
- Te st5// $	- Te st5

Trim whitespace

The following example trims all spaces from the end of the string.

let string_to_trim = @"    Hello, world!    ";
let substring = @"\s+";
print
    string_to_trim = string_to_trim,
    trimmed_end = trim_end(substring, string_to_trim)

Output

string_to_trim	trimmed_end
Hello, world!	Hello, world!

| Hello, world! | Hello, world!|

235 - trim_start()

Learn how to use the trim_start() function to remove the leading match of the specified regular expression.

Removes leading match of the specified regular expression.

Syntax

trim_start(regex, source)

Parameters

Name	Type	Required	Description
regex	`string`	✔️	The string or regular expression to be trimmed from the beginning of source.
source	`string`	✔️	The source string from which to trim regex.

Returns

source after trimming match of regex found in the beginning of source.

Examples

Trim specific substring

The following example trims substring from the start of string_to_trim.

let string_to_trim = @"https://bing.com";
let substring = "https://";
print string_to_trim = string_to_trim,trimmed_string = trim_start(substring,string_to_trim)

Output

string_to_trim	trimmed_string
https://bing.com	bing.com

Trim non-alphanumeric characters

The following example trims all non-word characters from the beginning of the string.

range x from 1 to 5 step 1
| project str = strcat("-  ","Te st",x,@"// $")
| extend trimmed_str = trim_start(@"[^\w]+",str)

Output

str	trimmed_str
- Te st1// $	Te st1// $
- Te st2// $	Te st2// $
- Te st3// $	Te st3// $
- Te st4// $	Te st4// $
- Te st5// $	Te st5// $

Trim whitespace

The following example trims all spaces from the start of the string.

let string_to_trim = @"    Hello, world!    ";
let substring = @"\s+";
print
    string_to_trim = string_to_trim,
    trimmed_start = trim_start(substring, string_to_trim)

Output

string_to_trim	trimmed_start
Hello, world!	Hello, world!

| Hello, world! |Hello, world! |

236 - trim()

Learn how to use the trim() function to remove the leading and trailing match of the specified regular expression.

Removes all leading and trailing matches of the specified regular expression.

Syntax

trim(regex, source)

Parameters

Name	Type	Required	Description
regex	`string`	✔️	The string or regular expression to be trimmed from source.
source	`string`	✔️	The source string from which to trim regex.

Returns

source after trimming matches of regex found in the beginning and/or the end of source.

Examples

Trim specific substring

The following example trims substring from the start and the end of the string_to_trim.

let string_to_trim = @"--https://bing.com--";
let substring = "--";
print string_to_trim = string_to_trim, trimmed_string = trim(substring,string_to_trim)

Output

string_to_trim	trimmed_string
`--https://bing.com--`	`https://bing.com`

Trim non-alphanumeric characters

The following example trims all non-word characters from start and end of the string.

range x from 1 to 5 step 1
| project str = strcat("-  ","Te st",x,@"// $")
| extend trimmed_str = trim(@"[^\w]+",str)

Output

str	trimmed_str
- Te st1// $	Te st1
- Te st2// $	Te st2
- Te st3// $	Te st3
- Te st4// $	Te st4
- Te st5// $	Te st5

Trim whitespaces

The next statement trims all spaces from start and end of the string.

let string_to_trim = @"    Hello, world!    ";
let substring = @"\s+";
print
    string_to_trim = string_to_trim,
    trimmed_string = trim(substring, string_to_trim)

Output

string_to_trim	trimmed_string
Hello, world!	Hello, world!

237 - unicode_codepoints_from_string()

Learn how to use the unicode_codepoints_from_string() function to return a dynamic array of the Unicode codepoints of the input string.

Returns a dynamic array of the Unicode codepoints of the input string. This function is the inverse operation of unicode_codepoints_to_string() function.

Syntax

unicode_codepoints_from_string(value)

Parameters

Name	Type	Required	Description
value	`string`	✔️	The source string to convert.

Returns

Returns a dynamic array of the Unicode codepoints of the characters that make up the string provided to this function. See unicode_codepoints_to_string())

Examples

print arr = unicode_codepoints_from_string("⒦⒰⒮⒯⒪")

Output

arr
[9382, 9392, 9390, 9391, 9386]

print arr = unicode_codepoints_from_string("קוסטו - Kusto")

Output

arr
[1511, 1493, 1505, 1496, 1493, 32, 45, 32, 75, 117, 115, 116, 111]

print str = unicode_codepoints_to_string(unicode_codepoints_from_string("Kusto"))

Output

str
Kusto

238 - unicode_codepoints_to_string()

Learn how to use the unicode_codepoints_to_string() function to return the string represented by the Unicode codepoints.

Returns the string represented by the Unicode codepoints. This function is the inverse operation of unicode_codepoints_from_string() function.

Syntax

unicode_codepoints_to_string (values)

Parameters

Name	Type	Required	Description
values	int, long, or dynamic	✔️	One or more comma-separated values to convert. The values may also be a dynamic array.

Returns

Returns the string made of the UTF characters whose Unicode codepoint value is provided by the arguments to this function. The input must consist of valid Unicode codepoints. If any argument isn’t a valid Unicode codepoint, the function returns null.

Examples

print str = unicode_codepoints_to_string(75, 117, 115, 116, 111)

Output

str
Kusto

print str = unicode_codepoints_to_string(dynamic([75, 117, 115, 116, 111]))

Output

str
Kusto

print str = unicode_codepoints_to_string(dynamic([75, 117, 115]), 116, 111)

Output

str
Kusto

print str = unicode_codepoints_to_string(75, 10, 117, 10, 115, 10, 116, 10, 111)

Output

str
K u s t o

print str = unicode_codepoints_to_string(range(48,57), range(65,90), range(97,122))

Output

str
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz

239 - unixtime_microseconds_todatetime()

Learn how to use the unixtime_microseconds_todatetime() function to convert unix-epoch microseconds to UTC datetime.

Converts unix-epoch microseconds to UTC datetime.

Syntax

unixtime_microseconds_todatetime(microseconds)

Parameters

Name	Type	Required	Description
microseconds	`real`	✔️	The epoch timestamp in microseconds. A `datetime` value that occurs before the epoch time (1970-01-01 00:00:00) has a negative timestamp value.

Returns

If the conversion is successful, the result is a datetime value. Otherwise, the result is null.

Example

print date_time = unixtime_microseconds_todatetime(1546300800000000)

Output

date_time
2019-01-01 00:00:00.0000000

Convert unix-epoch seconds to UTC datetime using unixtime_seconds_todatetime().
Convert unix-epoch milliseconds to UTC datetime using unixtime_milliseconds_todatetime().
Convert unix-epoch nanoseconds to UTC datetime using unixtime_nanoseconds_todatetime().

240 - unixtime_milliseconds_todatetime()

Learn how to use the unixtime_milliseconds_todatetime() function to convert unix-epoch milliseconds to UTC datetime.

Converts unix-epoch milliseconds to UTC datetime.

Syntax

unixtime_milliseconds_todatetime(milliseconds)

Parameters

Name	Type	Required	Description
milliseconds	`real`	✔️	The epoch timestamp in microseconds. A `datetime` value that occurs before the epoch time (1970-01-01 00:00:00) has a negative timestamp value.

Returns

If the conversion is successful, the result is a datetime value. Otherwise, the result is null.

Example

print date_time = unixtime_milliseconds_todatetime(1546300800000)

Output

date_time
2019-01-01 00:00:00.0000000

Convert unix-epoch seconds to UTC datetime using unixtime_seconds_todatetime().
Convert unix-epoch microseconds to UTC datetime using unixtime_microseconds_todatetime().
Convert unix-epoch nanoseconds to UTC datetime using unixtime_nanoseconds_todatetime().

241 - unixtime_nanoseconds_todatetime()

Learn how to use the unixtime_nanoseconds_todatetime() function to convert unix-epoch nanoseconds to UTC datetime.

Converts unix-epoch nanoseconds to UTC datetime.

Syntax

unixtime_nanoseconds_todatetime(nanoseconds)

Parameters

Name	Type	Required	Description
nanoseconds	`real`	✔️	The epoch timestamp in nanoseconds. A `datetime` value that occurs before the epoch time (1970-01-01 00:00:00) has a negative timestamp value.

Returns

If the conversion is successful, the result is a datetime value. Otherwise, the result is null.

Example

print date_time = unixtime_nanoseconds_todatetime(1546300800000000000)

Output

date_time
2019-01-01 00:00:00.0000000

Convert unix-epoch seconds to UTC datetime using unixtime_seconds_todatetime().
Convert unix-epoch milliseconds to UTC datetime using unixtime_milliseconds_todatetime().
Convert unix-epoch microseconds to UTC datetime using unixtime_microseconds_todatetime().

242 - unixtime_seconds_todatetime()

Learn how to use the unixtime_seconds_todatetime() function to convert unix-epoch seconds to UTC datetime.

Converts unix-epoch seconds to UTC datetime.

Syntax

unixtime_seconds_todatetime(seconds)

Parameters

Name	Type	Required	Description
seconds	`real`	✔️	The epoch timestamp in seconds. A `datetime` value that occurs before the epoch time (1970-01-01 00:00:00) has a negative timestamp value.

Returns

If the conversion is successful, the result is a datetime value. Otherwise, the result is null.

Example

print date_time = unixtime_seconds_todatetime(1546300800)

Output

date_time
2019-01-01 00:00:00.0000000

Convert unix-epoch milliseconds to UTC datetime using unixtime_milliseconds_todatetime().
Convert unix-epoch microseconds to UTC datetime using unixtime_microseconds_todatetime().
Convert unix-epoch nanoseconds to UTC datetime using unixtime_nanoseconds_todatetime().

243 - url_decode()

Learn how to use the url_decode() function to convert an encoded URL into a regular URL representation.

The function converts an encoded URL into a regular URL representation.

For more information about URL encoding and decoding, see Percent-encoding.

Syntax

url_decode(encoded_url)

Parameters

Name	Type	Required	Description
encoded_url	`string`	✔️	The encoded URL to decode.

Returns

URL (string) in a regular representation.

Example

let url = @'https%3a%2f%2fwww.bing.com%2f';
print original = url, decoded = url_decode(url)

Output

original	decoded
https%3a%2f%2fwww.bing.com%2f	https://www.bing.com/

244 - url_encode_component()

Learn how to use the url_encode_component() function to convert characters of the input URL into a transmittable format.

The function converts characters of the input URL into a format that can be transmitted over the internet. Differs from url_encode by encoding spaces as ‘%20’ and not as ‘+’.

For more information about URL encoding and decoding, see Percent-encoding.

Syntax

url_encode_component(url)

Parameters

Name	Type	Required	Description
url	`string`	✔️	The URL to encode.

Returns

URL (string) converted into a format that can be transmitted over the Internet.

Example

let url = @'https://www.bing.com/hello world/';
print original = url, encoded = url_encode_component(url)

Output

original	encoded
https://www.bing.com/hello world/	https%3a%2f%2fwww.bing.com%2fhello%20world

245 - url_encode()

Learn how to use the url_encode() function to convert characters of the input URL into a transmittable format.

The function converts characters of the input URL into a format that can be transmitted over the internet. Differs from url_encode_component by encoding spaces as ‘+’ and not as ‘%20’ (see application/x-www-form-urlencoded here).

For more information about URL encoding and decoding, see Percent-encoding.

Syntax

url_encode(url)

Parameters

Name	Type	Required	Description
url	`string`	✔️	The URL to encode.

Returns

URL (string) converted into a format that can be transmitted over the Internet.

Examples

let url = @'https://www.bing.com/hello world';
print original = url, encoded = url_encode(url)

Output

original	encoded
https://www.bing.com/hello world/	https%3a%2f%2fwww.bing.com%2fhello+world

246 - week_of_year()

Learn how to use the week_of_year() function to get the integer representation of the week.

Returns an integer that represents the week number. The week number is calculated from the first week of a year, which is the one that includes the first Thursday, according to ISO 8601.

Deprecated aliases: weekofyear()

Syntax

week_of_year(date)

Parameters

Name	Type	Required	Description
date	`datetime`	✔️	The date for which to return the week of the year.

Returns

week number - The week number that contains the given date.

Examples

Input	Output
`week_of_year(datetime(2020-12-31))`	`53`
`week_of_year(datetime(2020-06-15))`	`25`
`week_of_year(datetime(1970-01-01))`	`1`
`week_of_year(datetime(2000-01-01))`	`52`

The current version of this function, week_of_year(), is ISO 8601 compliant; the first week of a year is defined as the week with the year’s first Thursday in it.

247 - welch_test()

Learn how to use the welch_test() function to compute the p_value of the Welch-test.

Computes the p_value of the Welch-test function

Syntax

welch_test(mean1, variance1, count1, mean2, variance2, count2)

Parameters

Name	Type	Required	Description
mean1	real or long	✔️	The mean (average) value of the first series.
variance1	real or long	✔️	The variance value of the first series.
count1	real or long	✔️	The count of values in the first series.
mean2	real or long	✔️	The mean (average) value of the second series.
variance2	real or long	✔️	The variance value of the second series.
count2	real or long	✔️	The count of values in the second series.

Returns

From Wikipedia:

In statistics, Welch’s t-test is a two-sample location test that’s used to test the hypothesis that two populations have equal means. Welch’s t-test is an adaptation of Student’s t-test, and is more reliable when the two samples have unequal variances and unequal sample sizes. These tests are often referred to as “unpaired” or “independent samples” t-tests. The tests are typically applied when the statistical units underlying the two samples being compared are non-overlapping. Welch’s t-test is less popular than Student’s t-test, and may be less familiar to readers. The test is also called “Welch’s unequal variances t-test”, or “unequal variances t-test”.

Example

// s1, s2 values are from https://en.wikipedia.org/wiki/Welch%27s_t-test
print
    s1 = dynamic([27.5, 21.0, 19.0, 23.6, 17.0, 17.9, 16.9, 20.1, 21.9, 22.6, 23.1, 19.6, 19.0, 21.7, 21.4]),
    s2 = dynamic([27.1, 22.0, 20.8, 23.4, 23.4, 23.5, 25.8, 22.0, 24.8, 20.2, 21.9, 22.1, 22.9, 20.5, 24.4])
| mv-expand s1 to typeof(double), s2 to typeof(double)
| summarize m1=avg(s1), v1=variance(s1), c1=count(), m2=avg(s2), v2=variance(s2), c2=count()
| extend pValue=welch_test(m1,v1,c1,m2,v2,c2)
// pValue = 0.021

248 - zip()

This article describes zip().

The zip function accepts any number of dynamic arrays, and returns an array whose elements are each an array holding the elements of the input arrays of the same index.

Syntax

zip(arrays)

Parameters

Name	Type	Required	Description
arrays	`dynamic`	✔️	The dynamic array values to zip. The function accepts between 2-16 arrays.

Examples

print zip(dynamic([1,3,5]), dynamic([2,4,6]))

Output

print_0
`[[1,2],[3,4],[5,6]]`

print zip(dynamic(["A", 1, 1.5]), dynamic([{}, "B"]))

Output

print_0
`[["A",{}], [1,"B"], [1.5, null]]`

datatable(a:int, b:string) [1,"one",2,"two",3,"three"]
| summarize a = make_list(a), b = make_list(b)
| project zip(a, b)

Output

print_0
`[[1,"one"],[2,"two"],[3,"three"]]`

249 - zlib_compress_to_base64_string

This article describes the zlib_compress_to_base64_string() command.

Performs zlib compression and encodes the result to base64.

Syntax

zlib_compress_to_base64_string(string)

Parameters

Name	Type	Required	Description
string	`string`	✔️	The string to be compressed and base64 encoded.

Returns

Returns a string that represents zlib-compressed and base64-encoded original string.
Returns an empty result if compression or encoding failed.

Example

Using Kusto Query Language

print zcomp = zlib_compress_to_base64_string("1234567890qwertyuiop")

Output

zcomp
“eAEBFADr/zEyMzQ1Njc4OTBxd2VydHl1aW9wOAkGdw==”

Using Python

Compression can be done using other tools, for example Python.

print(base64.b64encode(zlib.compress(b'<original_string>')))

Use zlib_decompress_from_base64_string() to retrieve the original uncompressed string.

250 - zlib_decompress_from_base64_string()

This article describes the zlib_decompress_from_base64_string() command.

Decodes the input string from base64 and performs zlib decompression.

Syntax

zlib_decompress_from_base64_string(string)

Parameters

Name	Type	Required	Description
string	`string`	✔️	The string to decode. The string should have been compressed with zlib and then base64-encoded.

Returns

Returns a string that represents the original string.
Returns an empty result if decompression or decoding failed.
- For example, invalid zlib-compressed and base 64-encoded strings will return an empty output.

Examples

Valid input

print zcomp = zlib_decompress_from_base64_string("eJwLSS0uUSguKcrMS1cwNDIGACxqBQ4=")

Output

zcomp
Test string 123

Invalid input

print zcomp = zlib_decompress_from_base64_string("x0x0x0")

Output

zcomp

Create a compressed input string with zlib_compress_to_base64_string().

Scalar functions

1 - abs()

Syntax

Parameters

Returns

Example

2 - acos()

Syntax

Parameters

Returns

3 - ago()

Syntax

Parameters

Returns

Example

4 - around() function

Syntax

Parameters

Returns

Example: Filtering values around a specific timestamp

5 - array_concat()

Syntax

Parameters

Returns

Example

Related content

6 - array_iff()

Syntax

Parameters

Returns

Examples

Numeric condition values

Non-numeric and non-boolean condition values

Mismatched array lengths

7 - array_index_of()

Syntax

Parameters

Returns

Example

Related content

8 - array_length()

Syntax

Parameters

Returns

Examples

9 - array_reverse()

Syntax

Parameters

Returns

Example

10 - array_rotate_left()

Syntax

Parameters

Returns

Examples

Related content

11 - array_rotate_right()

Syntax

Parameters

Returns

Examples

Related content

12 - array_shift_left()

Syntax

Parameters

Returns

Examples

Related content

13 - array_shift_right()

Syntax

Parameters

Returns

Examples

Related content

14 - array_slice()

Syntax

Parameters

Returns

Examples

15 - array_sort_asc()

Control location of `null` values

Control location of `null` values