KQL - make_set distinct

futureninja · ‎Mar 21 2023

Hi everyone,

This may be simple however I've been unable to find a method or function to get my desired result. I may have missed something.

I want to summarize an event and use make_set to minimize the results.

I want something like make_set() but only distinct values.

What I have in mind is distinct_make_set(LoginInfo) and distinct_make_set(IPVTimeGenerated)

Desired summarize:

| summarize

LastestSignIn = arg_max(TimeGenerated,UserName),

EarliestSignIn = arg_min(TimeGenerated, UserName),

AttemptsBeforeIPV = countif(LoginInfo == "IPV activity after Login attempt"),

IPVTimeGenerated = distinct_make_set(IPVTimeGenerated),

LoginInfo = distinct_make_set(LoginInfo)

SignInCount = count() by

UserName, Activity

Thank you in advance!

futureninja · ‎Mar 21 2023

make_set() is already "distinct", its make_list that isn't?

futureninja · ‎Mar 21 2023

well, well... looks like I did indeed miss something major. Thanks!

Clive_Watson · ‎Mar 21 2023

Easily done ;)

futureninja · ‎Mar 21 2023

make_set() is already "distinct", its make_list that isn't?

Re: KQL - make_set distinct