Tip of the week: parse, top and Update policy

Parse operator 

 

A parse operator provides a streamlined way to extend a table by applying multiple wildcard match operations on a single string expression. This is most useful when the table has a string column that combines multiple values that you want to extract into individual columns. A common example would be if you have a text columns that is produced by a developer trace instrumentation point ("printf"/"Console.WriteLine"). The following example extracts the Api and User fields from a usage trace line.  

 

KustoLogs 
| where EventText startswith "$$USAGE"  
| take 2 
| parse EventText with * "Api='" Api "', User='" User "'" Ignore 
| project EventText, Api, User  

 

	EventText	Api	User
	$$USAGE[Gateway]: Api='Admin', User='WORKGROUP\SYSTEM', Applicati	Admin	WORKGROUP\SYSTEM
	$$USAGE[Gateway]: Api='Admin', User='WORKGROUP\SYSTEM', Applicati	Admin	WORKGROUP\SYSTEM

 

Top operator

 

The top operator support sorting by numeric and string values.  

 

Usage 
| where Timestamp >= ago(7d) and Api == "Query"  
| summarize count() by User  
| top 1 by User  

  

	User	count_
	AzureDataExplorer@outlook.com	13

 

 

Update Policy  

The update policy allows associating a query with a table, and invoking that query on each data ingestion operation to that table, then writing the query output to a different table. This is useful for scenarios that require keeping a modified subset of the original data for longer time periods.