Parse operator
A parse operator provides a streamlined way to extend a table by applying multiple wildcard match operations on a single string expression. This is most useful when the table has a string column that combines multiple values that you want to extract into individual columns. A common example would be if you have a text columns that is produced by a developer trace instrumentation point ("printf"/"Console.WriteLine"). The following example extracts the Api and User fields from a usage trace line.
KustoLogs
| where EventText startswith "$$USAGE"
| take 2
| parse EventText with * "Api='" Api "', User='" User "'" Ignore
| project EventText, Api, User
|
|
|
|
|
|
|
EventText
|
Api
|
User
|
|
|
$$USAGE[Gateway]: Api='Admin', User='WORKGROUP\SYSTEM', Applicati
|
Admin
|
WORKGROUP\SYSTEM
|
|
|
$$USAGE[Gateway]: Api='Admin', User='WORKGROUP\SYSTEM', Applicati
|
Admin
|
WORKGROUP\SYSTEM
|
Top operator
The top operator support sorting by numeric and string values.
Usage
| where Timestamp >= ago(7d) and Api == "Query"
| summarize count() by User
| top 1 by User
|
|
User
|
count_
|
|
|
AzureDataExplorer@outlook.com
|
13
|
Update Policy
The update policy allows associating a query with a table, and invoking that query on each data ingestion operation to that table, then writing the query output to a different table. This is useful for scenarios that require keeping a modified subset of the original data for longer time periods.
