take_any() (aggregation function)

Applies to: ✅ Azure Data ExplorerAzure MonitorMicrosoft Sentinel

Arbitrarily chooses one record for each group in a summarize operator, and returns the value of one or more expressions over each such record.

Deprecated aliases: any()

Note

The deprecated version adds any_ prefix to the columns returned by the any() aggregation.

Syntax

take_any(expr_1 [, expr_2 ...])

take_any(*)

Learn more about syntax conventions.

Parameters

Name Type Required Description
expr_N string ✔️ The expression used for selecting a record. If the wildcard value (*) is given in place of an expression, all records will be selected.

Returns

The take_any aggregation function returns the values of the expressions calculated for each of the records selected Indeterministically from each group of the summarize operator.

If the * argument is provided, the function behaves as if the expressions are all columns of the input to the summarize operator barring the group-by columns, if any.

Remarks

This function is useful when you want to get a sample value of one or more columns per value of the compound group key.

When the function is provided with a single column reference, it will attempt to return a non-null/non-empty value, if such value is present.

As a result of the indeterministic nature of this function, using this function multiple times in a single application of the summarize operator isn't equivalent to using this function a single time with multiple expressions. The former may have each application select a different record, while the latter guarantees that all values are calculated over a single record (per distinct group).

Examples

Show indeterministic State:

StormEvents
| summarize take_any(State)

Output

State
ATLANTIC SOUTH

Show all the details for a random record:

StormEvents
| project StartTime, EpisodeId, State, EventType
| summarize take_any(*)

Output

StartTime EpisodeId State EventType
2007-09-29 08:11:00.0000000 11091 ATLANTIC SOUTH Waterspout

Show all the details of a random record for each State starting with 'A':

StormEvents
| where State startswith "A"
| project StartTime, EpisodeId, State, EventType
| summarize take_any(*) by State

Output

State StartTime EpisodeId EventType
ALASKA 2007-02-01 00:00:00.0000000 1733 Flood
ATLANTIC SOUTH 2007-09-29 08:11:00.0000000 11091 Waterspout
ATLANTIC NORTH 2007-11-27 00:00:00.0000000 11523 Marine Thunderstorm Wind
ARIZONA 2007-12-01 10:40:00.0000000 11955 Flash Flood
AMERICAN SAMOA 2007-12-07 14:00:00.0000000 13183 Flash Flood
ARKANSAS 2007-12-09 16:00:00.0000000 11319 Lightning
ALABAMA 2007-12-15 18:00:00.0000000 12580 Heavy Rain