KQL merge rows with the same ID into one row
I have a lot of log data that has some duplicate values except for two columns. The simplified query looks like this:
AzureActivity
| project TimeGenerated, CorrelationId, Caller, Action, RoleId, ObjectId
This gives me a table that looks like this:
| TimeGenerated | CorrelationId | Caller | Action | RoleId | ObjectId | Status |
|---|---|---|---|---|---|---|
| 8/13/2024, 4:09:34.099 PM | 1 | John Doe | Delete | 222 | 333 | Success |
| 8/13/2024, 4:09:35.099 PM | 1 | John Doe | Delete | Start | ||
| 8/15/2024, 8:09:34.099 PM | 2 | John Doe | Write | 444 | 555 | Success |
| 8/15/2024, 8:09:35.099 PM | 2 | John Doe | Write | Start | ||
| 8/19/2024, 1:09:34.099 PM | 3 | John Doe | Write | 666 | 777 | Success |
| 8/19/2024, 1:09:36.099 PM | 3 | John Doe | Write | Start |
I would like the table to look like this:
| TimeGenerated | CorrelationId | Caller | Action | RoleId | ObjectId | Status |
|---|---|---|---|---|---|---|
| 8/13/2024, 4:09:34.099 PM | 1 | John Doe | Delete | 222 | 333 | Success |
| 8/15/2024, 8:09:34.099 PM | 2 | John Doe | Write | 444 | 555 | Success |
| 8/19/2024, 1:09:34.099 PM | 3 | John Doe | Write | 666 | 777 | Success |
Anyone has any tips on how to get this to work?
I have tried to summarize by the correlation ID, but I will either still have duplicate rows or missing rows. I have tried to look for other solutions, but can't seem to find anything that works for this specific case.
Solution
Another (similar) solution would be to control which elements take_any() will choose with prev() and order by, like that:
datatable(TimeGenerated:datetime, CorrelationId:long, Caller:string, Action:string, RoleId:long, ObjectId:long, Status:string)
[
datetime(8/13/2024, 4:09:35.099 PM), 1, 'John Doe', 'Delete', 111, long(null), 'Start',
datetime(8/19/2024, 1:09:36.099 PM), 3, 'John Doe', 'Write', long(null), long(null), 'Start',
datetime(8/15/2024, 8:09:35.099 PM), 2, 'John Doe', 'Write', long(null), long(null), 'Start',
datetime(8/13/2024, 4:09:34.099 PM), 1, 'John Doe', 'Delete', 222, 333, 'Success',
datetime(8/15/2024, 8:09:34.099 PM), 2, 'John Doe', 'Write', 444, 555, 'Success',
datetime(8/19/2024, 1:09:34.099 PM), 3, 'John Doe', 'Write', 666, 777, 'Success',
]
| order by CorrelationId, RoleId, ObjectId
| where prev(CorrelationId) != CorrelationId
| summarize take_any(*) by CorrelationId
This Query will only choose non-empty fields (if existing) of RoleId and ObjectId. Without that take_any() would just choose random matching CorrelationIds.
- Azure PowerShell command to list all Azure VM SKU Sizes enabled for Confidential Computing Azure ACC
- Create Azure TimerTrigger Durable Function in python
- Azure File Share: Cannot map network drive
- RBAC with bicep
- ADF expression to convert array to comma separated string
- How to get status of Azure machine learning service pipeline run using Rest Api?
- How do I deploy a Nuxt 3 solution to an Azure Node Web App
- Azure Blob Upload not working in ASP .Net Core Application
- How to clear a Cosmos DB database or delete all items using Azure portal
- Using script commands, how to add multiple scale rules to an Azure Container App?
- User Assigned Managed Identity: No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId
- Generate resources dynamically from another group of dynamically generated resources in Terraform
- Column reordering in ADF
- Logic App AuthorizationFailure - vnet integration needed
- Azure blob, controlling filename on download
- Azure VNet peering with Private Link
- Get Private FQDNs, IPs, Names of the Private Endpoints for the Azure resources deployed in an Virtual Network using PowerShell Script
- How to configure appsettings on a auto-generated preview environment
- Using Azure DevOps, how do I migrate a release pipeline to code, similar to build pipeline yml?
- Root login Ubuntu VM on Azure
- Filtering azure devops release build based upon build tag with "Continuous deployment trigger"
- Azure WebApp autoscale
- How to handle long startup times in Azure App Service deployment
- Frontend not available when front and back on same Web App Azure
- Use Salesforce Connectors from Hosted Azure Logic App in VSCode?
- What is considered an ingestion request in Azure Data Explorer?
- Provisioning (SCIM) by Entra/Azure: Why can I not select the "groups" attribute in my attribute mapping?
- Azure function verbose trace logging to Application Insights
- Azure function app GraphServiceClient create list
- Cypress tests fail to run in parallel mode due to mismatched specs between different runs