fork operator

Learn how to use the fork operator to run multiple consumer operators in parallel.

Runs multiple consumer operators in parallel.

Syntax

T | fork [name=](subquery) [name=](subquery)

Parameters

NameTypeRequiredDescription
subquerystring✔️A downstream pipeline of supported query operators.
namestringA temporary name for the subquery result table.

Supported query operators

Returns

Multiple result tables, one for each of the subquery arguments.

Tips

  • Use materialize as a replacement for join or union on fork legs. The input stream is cached by materialize and then the cached expression can be used in join/union legs.

  • Use batch with materialize of tabular expression statements instead of the fork operator.

Examples

The examples output multiple tables, with named and umnamed columns.

Unnamed subqueries

StormEvents
| where State == "FLORIDA"
| fork
    ( where DeathsDirect + DeathsIndirect > 1)
    ( where InjuriesDirect + InjuriesIndirect > 1)

Output

This output shows the first few rows and columns of the result table.

GenericResult

StartTimeEndTimeEpisodeIdEventIdStateEventTypeInjuriesDirectInjuriesIndirect
2007-02-02T03:17:00Z2007-02-02T03:25:00Z346418948FLORIDATornado100
2007-02-02T03:37:00Z2007-02-02T03:55:00Z346418950FLORIDATornado90
2007-03-13T08:20:00Z2007-03-13T08:20:00Z409422961FLORIDADense Fog30
2007-09-11T15:26:00Z2007-09-11T15:26:00Z957853798FLORIDARip Current00

GenericResult

StartTimeEndTimeEpisodeIdEventIdStateEventTypeInjuriesDirectInjuriesIndirect
2007-02-02T03:10:00Z2007-02-02T03:16:00Z254517515FLORIDATornado150
2007-02-02T03:17:00Z2007-02-02T03:25:00Z346418948FLORIDATornado100
2007-02-02T03:37:00Z2007-02-02T03:55:00Z346418950FLORIDATornado90
2007-02-02T03:55:00Z2007-02-02T04:10:00Z346420318FLORIDATornado420

Named subqueries

In the following examples, the result table is named “StormsWithDeaths” and “StormsWithInjuries”.

StormEvents
| where State == "FLORIDA"
| fork
    (where DeathsDirect + DeathsIndirect > 1 | as StormsWithDeaths)
    (where InjuriesDirect + InjuriesIndirect > 1 | as StormsWithInjuries)

StormEvents
| where State == "FLORIDA"
| fork
    StormsWithDeaths = (where DeathsDirect + DeathsIndirect > 1)
    StormsWithInjuries = (where InjuriesDirect + InjuriesIndirect > 1)

Output

This output shows the first few rows and columns of the result table.

StormsWithDeaths

StartTimeEndTimeEpisodeIdEventIdStateEventTypeInjuriesDirectInjuriesIndirect
2007-02-02T03:17:00Z2007-02-02T03:25:00Z346418948FLORIDATornado100
2007-02-02T03:37:00Z2007-02-02T03:55:00Z346418950FLORIDATornado90
2007-03-13T08:20:00Z2007-03-13T08:20:00Z409422961FLORIDADense Fog30
2007-09-11T15:26:00Z2007-09-11T15:26:00Z957853798FLORIDARip Current00

StormsWithInjuries

StartTimeEndTimeEpisodeIdEventIdStateEventTypeInjuriesDirectInjuriesIndirect
2007-02-02T03:10:00Z2007-02-02T03:16:00Z254517515FLORIDATornado150
2007-02-02T03:17:00Z2007-02-02T03:25:00Z346418948FLORIDATornado100
2007-02-02T03:37:00Z2007-02-02T03:55:00Z346418950FLORIDATornado90
2007-02-02T03:55:00Z2007-02-02T04:10:00Z346420318FLORIDATornado420
SamplePowerRequirementHistorizedData
| fork
    Dataset2 = (where twinId  <> "p_sol_01" | summarize count() by twinId, name)
    Dataset3 = (summarize count() by WeekOfYear = week_of_year(timestamp))

Fork operator

It is possible to use almost all the known features of the KQL language inside every single “sub” result set. For instance, the join operator inside a sub-statement does not work. This is not allowed by the engine.