How to write Kusto query to get results in one table?

Question

I have 2 KQL queries and I want to combine them in order to display two rows as one result. Not just result of first query, then result of second query:

R_CL
| where isnotempty(SrcIP_s) 
| project Message 
| take 1;

R_CL
| where isempty(SrcIP_s) 
| project Message 
| take 1

See sample R_L below.I would like to see 2 rows as result, one with SrcIP_s not empty, and the second with SrcIP_s empty (in this case it will be always same one)

let R_CL = datatable ( SrcIP_s:string, Message:string)
["1.1.1.1" ,"one",
"" ,"two",
"2.2.2.2","three",
"3.3.3.3","four"];
R_CL
| project SrcIP_s, Message

score 9 · Answer 1 · answered Feb 22 '21 at 12:38

A simple solution for this would be to use the union operator like this:

let query1 = R_CL
    | where isnotempty(SrcIP_s) 
    | project Message 
    | take 1;

let query2 = R_CL
    | where isempty(SrcIP_s) 
    | project Message 
    | take 1;

query1
| union query2;

score 7 · Answer 2 · answered Jan 20 '20 at 17:17

I know this is an old request - but here's a sample query using views and a union for your single query:

Your two separate queries...

R_CL
| where isnotempty(SrcIP_s) 
| project Message 
| take 1;

R_CL
| where isempty(SrcIP_s) 
| project Message 
| take 1

would become:

let Query1 = view () {
R_CL
| where isnotempty(SrcIP_s) 
| project Message 
| take 1;
};
let Query2 = view () {
R_CL
| where isempty(SrcIP_s) 
| project Message 
| take 1
};    
union withsource="TempTableName" Query1, Query2

This just gives me the error "'union' operator: Failed to resolve table expression named 'Query1'" — Liam, Feb 19 '21 at 16:13

How to write Kusto query to get results in one table?

2 Answers2

Linked