Knowledge BaseCommunityRelease NotesRequest Demo

Extend Operator

Overview

Add new calculated fields with extend.

| extend <dest>=<expression>[, ...]

Examples

Example data

let aws_alb = datatable [
  {"type": "https", "p_event_time": "2023-09-16 05:59:04.058", "sentBytes": 167},
  {"type": "https", "p_event_time": "2023-09-16 05:45:34.863", "sentBytes": 329},
  {"type": "https", "p_event_time": "2023-09-16 05:36:09.017", "sentBytes": 167},
  {"type": "https", "p_event_time": "2023-09-16 05:27:39.177", "sentBytes": 468992}
];

Add a new field

The query below adds the field sentKB, which is calculated by dividing the value of sentBytes by 1024:

aws_alb
| extend sentKB = sentBytes / 1024
EVENT

{ "p_event_time": "2023-09-16 05:59:04.058", "sentBytes": 167, "sentKB": 0.1630859375, "type": "https" }

{ "p_event_time": "2023-09-16 05:45:34.863", "sentBytes": 329, "sentKB": 0.3212890625, "type": "https" }

{ "p_event_time": "2023-09-16 05:36:09.017", "sentBytes": 167, "sentKB": 0.1630859375, "type": "https" }

{ "p_event_time": "2023-09-16 05:27:39.177", "sentBytes": 468992, "sentKB": 458, "type": "https" }

Add multiple new fields

The query below adds multiple fields, separated by commas:

aws_alb
| extend sentKB = sentBytes / 1024, sentMB = sentKB / 1024
EVENT

{ "p_event_time": "2023-09-16 05:59:04.058", "sentBytes": 167, "sentKB": 0.1630859375, "sentMB": 0.0001592636108398438, "type": "https" }

{ "p_event_time": "2023-09-16 05:45:34.863", "sentBytes": 329, "sentKB": 0.3212890625, "sentMB": 0.0003137588500976562, "type": "https" }

{ "p_event_time": "2023-09-16 05:36:09.017", "sentBytes": 167, "sentKB": 0.1630859375, "sentMB": 0.0001592636108398438, "type": "https" }

{ "p_event_time": "2023-09-16 05:27:39.177", "sentBytes": 468992, "sentKB": 458, "sentMB": 0.447265625, "type": "https" }

Reference added fields in subsequent expressions

Added fields can be referenced in subsequent query expressions, for example in a where operator:

aws_alb
| extend sentKB = sentBytes / 1024
| where sentKB > 2
EVENT

{ "p_event_time": "2023-09-16 05:27:39.177", "sentBytes": 468992, "sentKB": 458, "type": "https" }

Remove a field

Fields can also be removed using extend by setting them to null:

aws_alb
| extend sentBytes = null
EVENT

{ "p_event_time": "2023-09-16 05:59:04.058", "type": "https" }

{ "p_event_time": "2023-09-16 05:45:34.863", "type": "https" }

{ "p_event_time": "2023-09-16 05:36:09.017", "type": "https" }

{ "p_event_time": "2023-09-16 05:27:39.177", "type": "https" }

PreviousDatatable OperatorNextJoin Operator

Last updated

Was this helpful?