Tabular Operators
project operator
Selects the fields to insert, rename, include, or drop and embeds new computed columns.
Syntax
| project ColumnName [= Expression] [, ...]| project FieldName, FieldName, FieldName, ...or
| project [FieldName, FieldName[,] = Expression [, ...]Arguments
| name | type | description |
|---|---|---|
| Field Name(Column Name) | string | Name of a Field (column) to appear in the output. If there is no Expression, then Field Name is compulsory and a column of that name must appear in the input |
| Expression | expression | Optional scalar expression referencing the input columns. |
Returns
A table that has the field named 'arguments' and as many rows as the input table.
Example
['http-logs']
| project ['geo.country'] = ['id']['http-logs']
| project ['geo.country'] = ['id'], method = ['geo.city']['http-logs']
| project ['geo.city'], content_type, ['geo.country'], ['id'], is_tls
