facet operator
Applies to: ✅ Azure Data Explorer ✅ Azure Monitor ✅ Microsoft Sentinel
Returns a set of tables, one for each specified column.
Each table specifies the list of values taken by its column.
An additional table can be created by using the with clause.
T | facet by ColumnName [, ColumnName2, ...] [with ( filterPipe )]
Learn more about syntax conventions.
| Name | Type | Required | Description |
|---|---|---|---|
| ColumnName | string |
✔️ | The column name, or list of column names, to be summarized. |
| filterPipe | string |
A query expression applied to the input table. |
Multiple tables: one for the with clause, and one for each column.
StormEvents
| where State startswith "A" and EventType has "Heavy"
| facet by State, EventType
with
(
where StartTime between(datetime(2007-01-04) .. 7d)
| project State, StartTime, Source, EpisodeId, EventType
| take 5
)
The following is the table generated by the with clause.
| State | StartTime | Source | EpisodeId | EventType |
|---|---|---|---|---|
| ALASKA | 2007-01-04 12:00:00.0000000 | COOP Observer | 2192 | Heavy Snow |
| ALASKA | 2007-01-04 15:00:00.0000000 | Trained Spotter | 2192 | Heavy Snow |
| ALASKA | 2007-01-04 15:00:00.0000000 | Trained Spotter | 2192 | Heavy Snow |
| ALASKA | 2007-01-04 15:00:00.0000000 | Trained Spotter | 2192 | Heavy Snow |
| ALASKA | 2007-01-06 18:00:00.0000000 | COOP Observer | 2193 | Heavy Snow |
The following table is the State facet output table.
| State | count_State |
|---|---|
| ALABAMA | 19 |
| ARIZONA | 33 |
| ARKANSAS | 1 |
| AMERICAN SAMOA | 1 |
| ALASKA | 58 |
The following table is the EventType facet output table.
| EventType | count_EventType |
|---|---|
| Heavy Rain | 34 |
| Heavy Snow | 78 |