KQL merge rows with the same ID into one row
I have a lot of log data that has some duplicate values except for two columns. The simplified query looks like this:
AzureActivity
| project TimeGenerated, CorrelationId, Caller, Action, RoleId, ObjectId
This gives me a table that looks like this:
| TimeGenerated | CorrelationId | Caller | Action | RoleId | ObjectId | Status |
|---|---|---|---|---|---|---|
| 8/13/2024, 4:09:34.099 PM | 1 | John Doe | Delete | 222 | 333 | Success |
| 8/13/2024, 4:09:35.099 PM | 1 | John Doe | Delete | Start | ||
| 8/15/2024, 8:09:34.099 PM | 2 | John Doe | Write | 444 | 555 | Success |
| 8/15/2024, 8:09:35.099 PM | 2 | John Doe | Write | Start | ||
| 8/19/2024, 1:09:34.099 PM | 3 | John Doe | Write | 666 | 777 | Success |
| 8/19/2024, 1:09:36.099 PM | 3 | John Doe | Write | Start |
I would like the table to look like this:
| TimeGenerated | CorrelationId | Caller | Action | RoleId | ObjectId | Status |
|---|---|---|---|---|---|---|
| 8/13/2024, 4:09:34.099 PM | 1 | John Doe | Delete | 222 | 333 | Success |
| 8/15/2024, 8:09:34.099 PM | 2 | John Doe | Write | 444 | 555 | Success |
| 8/19/2024, 1:09:34.099 PM | 3 | John Doe | Write | 666 | 777 | Success |
Anyone has any tips on how to get this to work?
I have tried to summarize by the correlation ID, but I will either still have duplicate rows or missing rows. I have tried to look for other solutions, but can't seem to find anything that works for this specific case.
Solution
Another (similar) solution would be to control which elements take_any() will choose with prev() and order by, like that:
datatable(TimeGenerated:datetime, CorrelationId:long, Caller:string, Action:string, RoleId:long, ObjectId:long, Status:string)
[
datetime(8/13/2024, 4:09:35.099 PM), 1, 'John Doe', 'Delete', 111, long(null), 'Start',
datetime(8/19/2024, 1:09:36.099 PM), 3, 'John Doe', 'Write', long(null), long(null), 'Start',
datetime(8/15/2024, 8:09:35.099 PM), 2, 'John Doe', 'Write', long(null), long(null), 'Start',
datetime(8/13/2024, 4:09:34.099 PM), 1, 'John Doe', 'Delete', 222, 333, 'Success',
datetime(8/15/2024, 8:09:34.099 PM), 2, 'John Doe', 'Write', 444, 555, 'Success',
datetime(8/19/2024, 1:09:34.099 PM), 3, 'John Doe', 'Write', 666, 777, 'Success',
]
| order by CorrelationId, RoleId, ObjectId
| where prev(CorrelationId) != CorrelationId
| summarize take_any(*) by CorrelationId
This Query will only choose non-empty fields (if existing) of RoleId and ObjectId. Without that take_any() would just choose random matching CorrelationIds.
- Cannot add data to a ComplexField using Python SDK for Azure AI Search
- letsencrypt cert request failing for AKS ingress
- Playwright Test execution on Azure Windows machine fails in pipeline with error as No test found, It works perfectly with same command
- How to Combining PowerShell Output from multiple server to Single csv
- How can I find all Azure app registrations with API permissions to a specific app registration?
- Azure Deployment Groups vs Agent Pools
- I cannot extract .sql CREATE TABLEs for each table in my Azure SQL Database in my Azure Repo
- Can not read blobs through BlobContainerClient for blobs with empty folder prefixes
- Are task logs deleted when the node is deleted due to autoscaling in Azure Batch service?
- Azure Function Blob Storage Monitor
- I want to fetch Azure SQL table data from ADF to use as input in copy activity
- How to access code of my Azure website?
- Run JMeter script in AzureDevOps - Bearer Access Token generation
- Azure Function - HTTP trigger request length exceeded
- How and where to define an environment variable on Azure
- Stream Analytics doesn't output the data to SQL but does to a blob storage
- While Hierarchical namespace enabled cannot upload blob with metadata hdi_isfolder
- Cannot log in to Visual Studio Account in VS 2022
- SchemaColumnConvertNotSupportedException: column: [Col_Name], physicalType: INT64, logicalType: string
- create Azure Keyvault secret without exposing values
- Can you create 'User Flows' in Azure with a pay-as-you-go account
- Deploy ARM template at management group scope with Azure DevOps Pipeline
- How to make an azure function that deploys my bicep script from Azure Storage Account
- Basic SQL commands in Terraform
- Can we Deploy Web Application in Azure OpenAI of Production Level
- Get-MgGroupMember by display name instead of userID
- Azure DevOps REST API parent relation link to existing work item error
- What should be put to 'repoOwners' in Managed Identity Federated Credentials policy?
- How to get list of users from CSV file whose LastSignInDate column has a date that is before 90 days from current date or is empty?
- Langchain cannot connect with Azure SQL Database