take_anyif() (aggregation function)

Applies to: ✅ Azure Data ExplorerAzure MonitorMicrosoft Sentinel

Arbitrarily selects one record for each group in a summarize operator in records for which the predicate is 'true'. The function returns the value of an expression over each such record.

This function is useful when you want to get a sample value of one column per value of the compound group key, subject to some predicate that is true. If such a value is present, the function attempts to return a non-null/non-empty value.

Deprecated aliases: anyif()

Note

The deprecated version adds any_ prefix to the columns returned by the any() aggregation.

Syntax

take_anyif( expr, predicate )

Learn more about syntax conventions.

Parameters

Name Type Required Description
expr string ✔️ The expression used for selecting a record.
predicate string ✔️ Indicates which records may be considered for evaluation.

Returns

The take_anyif aggregation function returns the value of the expression calculated for each of the records randomly selected from each group of the summarize operator. Only records for which predicate returns 'true' may be selected. If the predicate doesn't return 'true', a null value is produced.

Examples

Pick a random EventType from Storm events, where event description has a key phrase.

StormEvents
| summarize take_anyif(EventType, EventNarrative has 'strong wind')

Output

EventType
Strong Wind