A parse operator provides a streamlined way to extend a table by applying multiple wildcard match operations on a single string expression. This is most useful when the table has a string column that combines multiple values that you want to extract into individual columns. A common example would be if you have a text columns that is produced by a developer trace instrumentation point ("printf"/"Console.WriteLine"). The following example extracts the Api and User fields from a usage trace line.
| where EventText startswith "$$USAGE"
| take 2
| parse EventText with * "Api='" Api "', User='" User "'" Ignore
| project EventText, Api, User
The top operator support sorting by numeric and string values.
| where Timestamp >= ago(7d) and Api == "Query"
| summarize count() by User
| top 1 by User
The update policy allows associating a query with a table, and invoking that query on each data ingestion operation to that table, then writing the query output to a different table. This is useful for scenarios that require keeping a modified subset of the original data for longer time periods.