diff --git a/data-explorer/kusto/management/alter-entity-group.md b/data-explorer/kusto/management/alter-entity-group.md new file mode 100644 index 0000000000..1602cb5ad5 --- /dev/null +++ b/data-explorer/kusto/management/alter-entity-group.md @@ -0,0 +1,64 @@ +--- +title: .alter entity_group command +description: Learn how to use the `.alter entity_group` command to change an existing entity group. +ms.reviewer: ziham1531991 +ms.topic: reference +ms.date: 01/26/2025 +--- + + +# .alter entity_group command + +> [!INCLUDE [applies](../includes/applies-to-version/applies.md)] [!INCLUDE [fabric](../includes/applies-to-version/fabric.md)] [!INCLUDE [azure-data-explorer](../includes/applies-to-version/azure-data-explorer.md)] + +Alters an existing entity group and stores it inside the database metadata. For more information, see [Entity groups](entity-groups.md). + +## Permissions + +You must have at least [Database Admin](../access-control/role-based-access-control.md) permissions to run this command. + +## Syntax + +`.alter` `entity_group` [`ifnotexists`] *EntityGroupName* `(`*EntityReference* [`,` ...]`)` + +[!INCLUDE [syntax-conventions-note](../includes/syntax-conventions-note.md)] + +## Parameters + +|Name|Type|Required|Description| +|--|--|--|--| +| `ifnotexists` | `string` | | If specified, the entity group is only created if the entity group doesn't exist yet.| +|*EntityGroupName*| `string` | :heavy_check_mark:|The name of the entity group. | +|*EntityReference*| `string` | :heavy_check_mark:|An entity included in the entity group. | + +## Returns + +This command returns a table with the following columns: + +|Output parameter |Type |Description| +|---|---|---| +|Name | `string` | The name of the entity group.| +|Entities | `array` | An array which includes one or more entities. If the entity group doesn't exist, and the `ifnotexists` flag isn't specified, an error is returned.| + +## Examples + +The following example alters `MyEntityGroup` to include the entity, `cluster('c1').database('d1')`. + +```kusto +.alter entity_group MyEntityGroup (cluster('c1').database('d1')) +``` + +**Output** + +|Name|Entities| +|---|---| +|MyEntityGroup|["cluster('c1').database('d1')"]| + +## Related content + +* [Entity groups](entity-groups.md) +* [Entity types](../query/schema-entities/index.md) +* [.create entity_group command](create-entity-group.md) +* [.alter-merge entity_group command](alter-merge-entity-group.md) +* [.drop entity_group command](drop-entity-group.md) +* [.show entity_group(s) command](show-entity-group.md) diff --git a/data-explorer/kusto/management/alter-merge-entity-group.md b/data-explorer/kusto/management/alter-merge-entity-group.md new file mode 100644 index 0000000000..86edd17d6e --- /dev/null +++ b/data-explorer/kusto/management/alter-merge-entity-group.md @@ -0,0 +1,76 @@ +--- +title: .alter-merge entity_group command +description: Learn how to use the `.alter-merge entity_group` command to change an existing entity group. +ms.reviewer: ziham1531991 +ms.topic: reference +ms.date: 01/26/2025 +--- + +# .alter-merge entity_group command + +> [!INCLUDE [applies](../includes/applies-to-version/applies.md)] [!INCLUDE [fabric](../includes/applies-to-version/fabric.md)] [!INCLUDE [azure-data-explorer](../includes/applies-to-version/azure-data-explorer.md)] + +Alters and merges an existing entity group with the provided list of entities and stores it inside the database metadata. For more information, see [Entity groups](entity-groups.md). + +## Permissions + +You must have at least [Database Admin](../access-control/role-based-access-control.md) permissions to run this command. + +## Syntax + +`.alter-merge` `entity_group` *EntityGroupName* `(`*EntityReference* [`,` ...]`)` + +[!INCLUDE [syntax-conventions-note](../includes/syntax-conventions-note.md)] + +## Parameters + +|Name|Type|Required|Description| +|--|--|--|--| +|*EntityGroupName*| `string` | :heavy_check_mark:|The name of the entity group. | +|*EntityReference*| `string` | :heavy_check_mark:|An entity included in the entity group. | + +## Returns + +This command returns a table with the following columns: + +|Output parameter |Type |Description| +|---|---|---| +|Name | `string` | The name of the entity group.| +|Entities | `array` | An array which includes one or more entities.| + +## Examples + +The following example edits the `MyEntityGroup` entity group and adds the entity `cluster('c2').database('d2')` to the entity group. + +First run the following command to create a new entity group with entity `cluster('c1').database('d1')`: + +```kusto +.create entity_group MyEntityGroup (cluster('c1').database('d1')) +``` + +**Output** + +|Name|Entities| +|---|---| +|MyEntityGroup|["cluster('c1').database('d1')"]| + +Then run the following command to edit the existing entity group `MyEntityGroup` and add the entity `cluster('c2').database('d2')`: + +```kusto +.alter-merge entity_group MyEntityGroup (cluster('c2').database('d2')) +``` + +**Output** + +|Name|Entities| +|---|---| +|MyEntityGroup|["cluster('c1').database('d1')","cluster('c2').database('d2')"]| + +## Related content + +* [Entity groups](entity-groups.md) +* [Entity types](../query/schema-entities/index.md) +* [.create entity_group command](create-entity-group.md) +* [.alter entity_group command](alter-entity-group.md) +* [.drop entity_group command](drop-entity-group.md) +* [.show entity_group(s) command](show-entity-group.md) diff --git a/data-explorer/kusto/management/create-entity-group.md b/data-explorer/kusto/management/create-entity-group.md new file mode 100644 index 0000000000..630c72530c --- /dev/null +++ b/data-explorer/kusto/management/create-entity-group.md @@ -0,0 +1,61 @@ +--- +title: .create entity_group command +description: Learn how to use the `.create entity_group` command to create an entity group. +ms.reviewer: ziham1531991 +ms.topic: reference +ms.date: 01/27/2025 +--- + +# .create entity_group command + +> [!INCLUDE [applies](../includes/applies-to-version/applies.md)] [!INCLUDE [fabric](../includes/applies-to-version/fabric.md)] [!INCLUDE [azure-data-explorer](../includes/applies-to-version/azure-data-explorer.md)] + +Creates a stored entity group with a specific name, which functions like a reusable [`let` statement](../query/let-statement.md). The entity group definition is saved as part of the database metadata. + +## Permissions + +You must have at least [Database Admin](../access-control/role-based-access-control.md) permissions to run this command. + +## Syntax + +`.create` `entity_group` [`ifnotexists`] *EntityGroupName* `(`[*EntityReference*`,` ...]`)` + +[!INCLUDE [syntax-conventions-note](../includes/syntax-conventions-note.md)] + +## Parameters + +|Name|Type|Required|Description| +|--|--|--|--| +| `ifnotexists` | `string` | | If specified, the entity group is only created if the entity group doesn't exist yet.| +|*EntityGroupName*| `string` | :heavy_check_mark:|The name of the entity group. | +|*EntityReference*| `string` | :heavy_check_mark:|An entity included in the entity group. | + +## Returns + +This command returns a table with the following columns: + +|Output parameter |Type |Description| +|---|---|---| +|Name | `string` | The name of the entity group.| +|Entities | `array` | An array which includes one or more entities. If the entity group already exists, and the `ifnotexists` flag is specified, the command is ignored. Otherwise, an error is returned.| + +## Examples + +The following example creates the `MyEntityGroup` entity group with two entities, `cluster('c1').database('d1')` and `cluster('c2').database('d2')`. + +```kusto +.create entity_group MyEntityGroup (cluster('c1').database('d1'), cluster('c2').database('d2')) +``` + +|Name|Entities| +|---|---| +|MyEntityGroup|["cluster('c1').database('d1')","cluster('c2').database('d2')"]| + +## Related content + +* [Entity groups](entity-groups.md) +* [Entity types](../query/schema-entities/index.md) +* [.alter entity_group command](alter-entity-group.md) +* [.alter-merge entity_group command](alter-merge-entity-group.md) +* [.drop entity_group command](drop-entity-group.md) +* [.show entity_group(s) command](show-entity-group.md) \ No newline at end of file diff --git a/data-explorer/kusto/management/drop-entity-group.md b/data-explorer/kusto/management/drop-entity-group.md new file mode 100644 index 0000000000..4d52e0f962 --- /dev/null +++ b/data-explorer/kusto/management/drop-entity-group.md @@ -0,0 +1,55 @@ +--- +title: .drop entity_group command +description: Learn how to use the `.drop entity_group` command to remove an entity group from your database. +ms.reviewer: ziham1531991 +ms.topic: reference +ms.date: 01/27/2025 +--- + +# .drop entity_group command + +> [!INCLUDE [applies](../includes/applies-to-version/applies.md)] [!INCLUDE [fabric](../includes/applies-to-version/fabric.md)] [!INCLUDE [azure-data-explorer](../includes/applies-to-version/azure-data-explorer.md)] + +Drops an entity group from a database. + +## Permissions + +You must have at least [Database Admin](../access-control/role-based-access-control.md) permissions to run this command. + +## Syntax + +`.drop` `entity_group` *EntityGroupName* + +[!INCLUDE [syntax-conventions-note](../includes/syntax-conventions-note.md)] + +## Parameters + +|Name|Type|Required|Description| +|--|--|--|--| +|*EntityGroupName*| `string` | |The name of the specific entity group you want to drop. | + +## Returns + +This command returns a list of the remaining tables in the database. + +|Output parameter |Type |Description| +|---|---|---| +|Name | `string` | The name of the entity group.| +|Entities | `array` | An array with one or more entities.| + +## Examples + +The following example drops the `MyEntityGroup` from your selected database. + +```kusto +.drop entity_group MyEntityGroup +``` + +## Related content + +* [Entity groups](entity-groups.md) +* [Entity types](../query/schema-entities/index.md) +* [.create entity_group command](create-entity-group.md) +* [.alter entity_group command](alter-entity-group.md) +* [.alter-merge entity_group command](alter-merge-entity-group.md) +* [.show entity_group(s) command](show-entity-group.md) \ No newline at end of file diff --git a/data-explorer/kusto/management/entity-groups.md b/data-explorer/kusto/management/entity-groups.md new file mode 100644 index 0000000000..e80fc1dabf --- /dev/null +++ b/data-explorer/kusto/management/entity-groups.md @@ -0,0 +1,34 @@ +--- +title: Entity groups +description: Learn how to use Entity groups to store entity groups in the database. +ms.reviewer: ziham1531991 +ms.topic: reference +ms.date: 01/26/2025 +--- + +# Entity groups + +> [!INCLUDE [applies](../includes/applies-to-version/applies.md)] [!INCLUDE [fabric](../includes/applies-to-version/fabric.md)] [!INCLUDE [azure-data-explorer](../includes/applies-to-version/azure-data-explorer.md)] + +Entity groups are named entities stored in a database that the [macro-expand query operator](../query/macro-expand-operator.md) can reference. + + +Storing an entity group in the database, instead of providing its value in the query text itself, makes it easier to manage these objects. + +## Management commands + +|Function |Description| +|---------|-----------| +|[.alter entity_group](alter-entity-group.md) |Alters an existing entity group and stores it inside the database metadata. | +|[.alter-merge entity_group](alter-merge-entity-group.md) |Alters and merges the value of an existing entity group. | +|[.create entity_group](create-entity-group.md) |Creates a stored entity group.| +|[.drop entity_group](drop-entity-group.md) |Drops an entity group from the database. | +|[.show entity_group(s)](show-entity-group.md) |Lists all the stored entity groups, or a specific entity group, in the current database.| + +> [!NOTE] +> A query can only reference entity groups defined in the query text or in the scoped database. Out-of-scope entity groups that aren't within the query or database can’t be directly or indirectly referenced. + +## Related content + +* [macro-expand operator](../query/macro-expand-operator.md) +* [Entity types](../query/schema-entities/index.md) \ No newline at end of file diff --git a/data-explorer/kusto/management/show-entity-group.md b/data-explorer/kusto/management/show-entity-group.md new file mode 100644 index 0000000000..edf67c2c8d --- /dev/null +++ b/data-explorer/kusto/management/show-entity-group.md @@ -0,0 +1,82 @@ +--- +title: .show entity_group(s) command +description: Learn how to use the `.show entity_group` command to view existing entity groups. +ms.reviewer: ziham1531991 +ms.topic: reference +ms.date: 01/27/2025 +--- + +# .show entity_group(s) command + +> [!INCLUDE [applies](../includes/applies-to-version/applies.md)] [!INCLUDE [fabric](../includes/applies-to-version/fabric.md)] [!INCLUDE [azure-data-explorer](../includes/applies-to-version/azure-data-explorer.md)] + +Lists all the [entity groups](entity-groups.md) in the selected database or lists the details of one specific stored entity group. + +## Permissions + +You must have at least [Database Admin](../access-control/role-based-access-control.md) permissions to run this command. + +## Syntax + +`.show` `entity_groups` + +`.show` `entity_group` *EntityGroupName* + +[!INCLUDE [syntax-conventions-note](../includes/syntax-conventions-note.md)] + +## Parameters + +|Name|Type|Required|Description| +|--|--|--|--| +|*EntityGroupName*| `string` | |The name of the specific entity group you wish to view. | + +## Returns + +This command returns a table with the following columns: + +|Output parameter |Type |Description| +|---|---|---| +|Name | `string` | The name of the entity group.| +|Entities | `array` | An array which includes one or more entities. If the entity group doesn't exist, an error is returned.| + +## Examples + +The following examples show how to use the `.show entity_group` and `.show entity_group` commands. + +### Show entity groups + +The following example returns all the entity groups in the selected database, `eg1` and `eg2`, along with their entities. + +```kusto +.show entity_groups +``` + +**Output** + +|Name|Entities| +|---|---| +|eg1|["cluster('c1').database('d1')"]| +|eg2|["cluster('c2').database('d2')"]| + +### Show an entity group + +The following example returns the entity group, `eg1` along with its entity, `cluster('c1').database('d1')`. + +```kusto +.show entity_group eg1 +``` + +**Output** + +|Name|Entities| +|---|---| +|eg1|["cluster('c1').database('d1')"]| + +## Related content + +* [Entity groups](entity-groups.md) +* [Entity types](../query/schema-entities/index.md) +* [.alter entity_group command](alter-entity-group.md) +* [.alter-merge entity_group command](alter-merge-entity-group.md) +* [.create entity_group command](create-entity-group.md) +* [.drop entity_group command](drop-entity-group.md) \ No newline at end of file diff --git a/data-explorer/kusto/management/toc.yml b/data-explorer/kusto/management/toc.yml index 10a2473ee9..20329efbce 100644 --- a/data-explorer/kusto/management/toc.yml +++ b/data-explorer/kusto/management/toc.yml @@ -255,6 +255,25 @@ items: - name: .alter-merge table column-docstrings command displayName: .alter-merge column-docstrings href: alter-merge-table-column.md + - name: Entity Group + items: + - name: Entity Group + href: entity-groups.md + - name: .create entity_group command + displayName: create entity_group + href: create-entity-group.md + - name: .alter entity_group command + displayName: alter entity_group + href: alter-entity-group.md + - name: .alter-merge entity_group command + displayName: alter-merge entity_group + href: alter-merge-entity-group.md + - name: .drop entity_group command + displayName: drop entity_group + href: drop-entity-group.md + - name: .show entity_group command + displayName: show entity_group, show entity_groups, .show entity_group + href: show-entity-group.md - name: Functions items: - name: Stored functions management overview diff --git a/data-explorer/kusto/query/macro-expand-operator.md b/data-explorer/kusto/query/macro-expand-operator.md new file mode 100644 index 0000000000..7e8417277d --- /dev/null +++ b/data-explorer/kusto/query/macro-expand-operator.md @@ -0,0 +1,168 @@ +--- +title: macro-expand operator +description: Learn how to use the macro-expand operator to run a subquery on a set of entities. +ms.reviewer: ziham1531991 +ms.topic: reference +ms.date: 01/30/2025 +--- +# macro-expand operator + +> [!INCLUDE [applies](../includes/applies-to-version/applies.md)] [!INCLUDE [fabric](../includes/applies-to-version/fabric.md)] [!INCLUDE [azure-data-explorer](../includes/applies-to-version/azure-data-explorer.md)] + +The `macro-expand` operator simplifies running a subquery on a set of [entities](schema-entities/index.md), such as clusters, databases, or tables, and then combining the results into a single output. + +The operator is useful when you have data spread across multiple clusters, databases, or tables. For example, when data is held in the same global region as its source, you can use the `macro-expand` operator in a single query across data in distinct locations, instead of running separate queries for each entity and combining the results manually. + +The set of entities you want to query is called an *entity group*. The entity group can be stored for reuse in a database or defined directly in your query text. For more information about stored entity groups, see [Entity groups](../management/entity-groups.md). + +The `macro-expand` operator runs the subquery separately for each entity in the group and then combines all the results into a single output. The subquery can include nested `macro-expand` operators. However, the identifier for the inner `macro-expand` must be different from the identifier for the outer `macro-expand` to clearly distinguish between the scope and references of each one. + +## Syntax + +`macro-expand` [`kind` `=` *Kind*] [`isfuzzy` `=` *IsFuzzy*] *EntityGroup* `as` *EntityIdentifier* `(`*Subquery*`)` + +`macro-expand` [`kind` `=` *Kind*] [`isfuzzy` `=` *IsFuzzy*] `entity_group` `[`*EntityReference* [`,` ...] `as` *EntityIdentifier* `(`*Subquery*`)``]` + +`macro-expand` *EntityIdentifier* `in` *EntityGroupIdentifier* `(`*Subquery*`)` + +> [!NOTE] +> The operation of the `macro-expand` operator can be modified by setting the `best_effort` request property to `true`, either by using a `set statement` or through [client request properties](../api/rest/request-properties.md). When this property is set to `true`, the `macro-expand` operator ignores fuzzy resolution and connectivity failures, to execute any of the subexpressions being unioned and issues a warning in the query status results. + +### Variations + +There are several ways to specify the entity group used by the `macro-expand` operator: + +- **Inline:** All elements are explicitly defined in the text of the operator invocation itself. For an example, see [Calculate errors](#calculate-errors). + +- **Via `let` statement:** The entity group is specified in the query using a `let` statement outside the `macro-expand` operator using the syntax: + + `let` *EntityGroupIdentifier* `=` `entity_group` `[`*EntityReference* [`,` ...]`]` + + For an example, see [Calculate SKU errors using `let` statement](#calculate-sku-errors-using-let-statement). + +- **Using a stored entity group:** The query uses an entity group stored in the database in scope rather than defined in the query. + + For an example, see [Extend table with contextual scalar functions](#extend-table-with-contextual-scalar-functions). + +## Parameters + +| Name | Type | Required | Description | +|--|--|--|--| +| *Kind* | `string` | | Either `inner` or `outer` (default). When `kind` is set to `inner`, the results only include columns common to all the accessed scoped entities. If set to `outer`, the result includes all the columns that occur in any of the inputs. Cells not defined by an input row are set to `null`. | +| *IsFuzzy* | | | When set to `true`, it only considers entity sources that currently exist and are accessible. If at least one entity is found, the query runs, and any missing entities generate warnings in the query status results. If no entities are found, the query can't resolve any specified entities and returns an error. The default is `false`. | +| *EntityGroup* | | :heavy_check_mark: | A set of one or more entities that *EntityIdentifier* expands into when a query is run. The entity group can be a stored entity group or a defined group. It denotes one or more entities of the same type that *EntityIdentifier* expands to. | +| *EntityIdentifier* | `string` | :heavy_check_mark: | An identifier that serves as a placeholder for an entity in the subquery, and which is expanded into the actual entity when the query is run. Entities that aren't explicitly scoped in *EntityIdentifier* are assumed to be part of the current in scope database. Any specific identifiers included in the query override the default assumption. | +|*EntityReference*| `string` | |An entity included in the entity group. One or more *EntityReference* is required if an *EntityGroup* isn't specified. | +| *Subquery* | `string` | :heavy_check_mark: | A single tabular expression that doesn’t take input data directly. It might include references to entities through an *EntityIdentifier*, and use expressions such as let statements, stored functions, or other elements from the database in scope. *Subquery* can be preceded by one or more `let` statements. It can also reference [Subquery contextual functions](#subquery-contextual-functions).| + +> [!NOTE] +> A query can only reference entity groups defined in the query text or in the current database. Entity groups in other databases or clusters can't be referenced directly or indirectly. + +### Subquery contextual functions + +The `macro-expand` subquery can reference two specialized scalar functions as if they're part of the entity being referenced: + +* `$current_database` - Returns the database name of the entity reference. +* `$current_cluster_endpoint` - Returns the URL of the cluster of the entity reference. + +## Examples + +The following examples show how to use the `macro-expand`operator. + +### Calculate errors + +The following example uses an [inline variation](#variations) entity group to calculate the number of errors produced by each Stock Keeping Unit (SKU). It defines an `entity_group`, `X`, that includes databases named `MyDatabase` in two clusters. The query then performs a subquery to filter for error logs and counts the errors by `Source`. Next it performs an `inner` join on `Source` with the `DimCluster` table to get the `SKU` for each source. Finally, it sums the error counts by `SKU`. + +```kusto +macro-expand entity_group [cluster('C1').database('MyDatabase'), cluster('C2').database('MyDatabase')] as X +( + X.Logs + | where Level == 'Error' + | summarize Count=count() by Source + | join kind=inner (X.DimCluster | project SKU, Source) on Source +) +| summarize Sum=sum(Count) by SKU +``` + +* The `summarize` operator works on the combined results of all expanded subqueries while the `macro-expand` operator is only applied to the subquery between the parentheses so it's clear which scope is expanded. + +* The `join` operator is executed separately for each entity in the `entity_group`. In the example, the `join` is performed between two tables in the same entity, denoted by `X`. This means there was no cross-cluster `join`. + +To write the same query without using `macro-expand`, it might look as follows: + +```kusto +union + ( + cluster('C1').database('MyDatabase').Logs + | where Level == 'Error' + | summarize Count=count() by Source + | join kind=inner (cluster('C1').database('MyDatabase').DimCluster | project SKU, Source) on Source + ), + ( + cluster('C2').database('MyDatabase').Logs + | where Level == 'Error' + | summarize Count=count() by Source + | join kind=inner (cluster('C2').database('MyDatabase').DimCluster | project SKU, Source) on Source + ) +| summarize Sum=sum(Count) by SKU +``` + +### Calculate SKU errors using `let` statement + +The following example uses a [`let` statement](#variations) to define an entity group in a variable named `Greater` which includes the `MyDatabase` database from both `C1` and `C2` clusters. This entity group is then used to perform the same query in the [previous example](#calculate-errors) to calculate the number of errors produced by each SKU. The `macro-expand` operator is used to reference the `Greater` entity group (alias `X`). + +```kusto +let GreaterDatabase = entity_group [cluster('C1').database('MyDatabase'), cluster('C2').database('MyDatabase')]; +macro-expand GreaterDatabase as X +( + X.Logs + | where Level == 'Error' + | summarize Count=count() by Source + | join kind=inner (X.DimCluster | project SKU, Source) on Source +) +| summarize Sum=sum(Count) by SKU +``` + +### Extend table with contextual scalar functions + +The following query uses the [stored entity group](#variations) variation. It runs a subquery on the `Admins` table from each entity using the stored entity group `MyEntityGroup`. For more information on how to create a stored entity, see [.create entity_group command](../management/create-entity-group.md). It uses `$current_database` and `$current_cluster_endpoint` to extend the table, adding the current database and current cluster for each row. Then, it summarizes the results by counting the number of rows for each combination of `current_cluster` and `current_database`. + +```kusto +macro-expand MyEntityGroup as X +( + X.Admins + | extend current_database = X.$current_database, current_cluster = X.$current_cluster_endpoint +) +| summarize count() by current_cluster, current_database +``` + +### Nested macro-expand query + +The following query runs a nested subquery with an outer entity group `MyEntityGroup_Outer` (alias `X`) and an inner entity group `MyEntityGroup_Inner` (alias `Y`). It joins the `Admins` table from each entity in both the outer (`X`) and inner (`Y`) entity groups. The query filters for logs from the last hour. Then it extends the tables to include the current database and cluster for each row using `$current_database` and `$current_cluster_endpoint`. The query performs a `join` on the `Source` column to combine inner and outer entity groups. The prefixes `lhs` (left-hand side) and `rhs` (right-hand side) denote `X` and `Y` entity groups respectively. Finally, it summarizes the results by counting the number of rows for each combination of `lhs_cluster`, `lhs_database`, `rhs_cluster`, and `rhs_database`. + +```kusto +macro-expand MyEntityGroup_Outer as X +( + macro-expand MyEntityGroup_Inner as Y + ( + X.Admins + | where Timestamp > ago(1h) + | extend lhs_database = X.$current_database, lhs_cluster = X.$current_cluster_endpoint + | join ( + Y.Admins + | where Timestamp > ago(1h) + | extend rhs_database = Y.$current_database, rhs_cluster = Y.$current_cluster_endpoint + ) on Source + ) +) +| summarize count() by lhs_cluster, lhs_database, rhs_cluster, rhs_database +``` + +## Related content + +* [Entity groups](../management/entity-groups.md) +* [join operator](join-operator.md) +* [union operator](union-operator.md) +* [.show entity_group(s) command](../management/show-entity-group.md) +* [current_database()](current-database-function.md) +* [current_cluster_endpoint()](current-cluster-endpoint-function.md) diff --git a/data-explorer/kusto/query/toc.yml b/data-explorer/kusto/query/toc.yml index a5cff9d2a8..121ee7ffab 100644 --- a/data-explorer/kusto/query/toc.yml +++ b/data-explorer/kusto/query/toc.yml @@ -167,6 +167,8 @@ items: href: join-time-window.md - name: lookup operator href: lookup-operator.md + - name: macro-expand operator + href: macro-expand-operator.md - name: mv-apply operator href: mv-apply-operator.md displayName: mv apply mv_apply @@ -1682,4 +1684,4 @@ items: - name: Timezones href: timezone.md - name: KQL docs navigation - href: ../docs-navigation.md \ No newline at end of file + href: ../docs-navigation.md