make_bag_if() (aggregation function)

Applies to: ✅ Azure Data ExplorerAzure MonitorMicrosoft Sentinel

Creates a dynamic JSON property bag (dictionary) of expr values in records for which predicate evaluates to true.

Null values are ignored and don't factor into the calculation.


This function is used in conjunction with the summarize operator.


make_bag_if(expr, predicate [, maxSize])

Learn more about syntax conventions.


Name Type Required Description
expr dynamic ✔️ The expression used for the aggregation calculation.
predicate bool ✔️ The predicate that evaluates to true, in order for expr to be added to the result.
maxSize int The limit on the maximum number of elements returned. The default and max value is 1048576.


Returns a dynamic JSON property bag (dictionary) of expr values in records for which predicate evaluates to true. Non-dictionary values will be skipped. If a key appears in more than one row, an arbitrary value, out of the possible values for this key, will be selected.


This function without the predicate is similar to make_bag.


The following example shows a packed JSON property bag.

let T = datatable(prop:string, value:string, predicate:bool)
    "prop01", "val_a", true,
    "prop02", "val_b", false,
    "prop03", "val_c", true
| extend p = bag_pack(prop, value)
| summarize dict=make_bag_if(p, predicate)


{ "prop01": "val_a", "prop03": "val_c" }

Use bag_unpack() plugin for transforming the bag keys in the make_bag_if() output into columns.

let T = datatable(prop:string, value:string, predicate:bool)
    "prop01", "val_a", true,
    "prop02", "val_b", false,
    "prop03", "val_c", true
| extend p = bag_pack(prop, value)
| summarize bag=make_bag_if(p, predicate)
| evaluate bag_unpack(bag)


prop01 prop03
val_a val_c