Extend Operator

Overview

Add new calculated fields with extend.

| extend <dest>=<expression>[, ...]

Examples

Example data

let aws_alb = datatable [
  {"type": "https", "p_event_time": "2023-09-16 05:59:04.058", "sentBytes": 167},
  {"type": "https", "p_event_time": "2023-09-16 05:45:34.863", "sentBytes": 329},
  {"type": "https", "p_event_time": "2023-09-16 05:36:09.017", "sentBytes": 167},
  {"type": "https", "p_event_time": "2023-09-16 05:27:39.177", "sentBytes": 468992}
];

Add a new field

The query below adds the field sentKB, which is calculated by dividing the value of sentBytes by 1024:

aws_alb
| extend sentKB = sentBytes / 1024

p_event_time

sentBytes

sentKB

type

2023-09-16 05:59:04.058

167

0.1630859375

https

2023-09-16 05:45:34.863

329

0.3212890625

https

2023-09-16 05:36:09.017

167

0.1630859375

https

2023-09-16 05:27:39.177

468992

458

https

Add multiple new fields

The query below adds multiple fields, separated by commas:

aws_alb
| extend sentKB = sentBytes / 1024, sentMB = sentKB / 1024

p_event_time

sentBytes

sentKB

sentMB

type

2023-09-16 05:59:04.058

167

0.1630859375

0.0001592636108398438

https

2023-09-16 05:45:34.863

329

0.3212890625

0.0003137588500976562

https

2023-09-16 05:36:09.017

167

0.1630859375

0.0001592636108398438

https

2023-09-16 05:27:39.177

468992

458

0.447265625

https

Reference added fields in subsequent expressions

Added fields can be referenced in subsequent query expressions, for example in a where operator:

aws_alb
| extend sentKB = sentBytes / 1024
| where sentKB > 2

p_event_time

sentBytes

sentKB

type

2023-09-16 05:27:39.177

468992

458

https

Remove a field

Fields can also be removed using extend by setting them to null:

aws_alb
| extend sentBytes = null

p_event_time

type

2023-09-16 05:59:04.058

https

2023-09-16 05:45:34.863

https

2023-09-16 05:36:09.017

https

2023-09-16 05:27:39.177

https

PreviousDatatable Operator NextJoin Operator

Last updated 4 months ago