7

I have a table which I would like to get the latest entry for each group using Kusto Query Language. Here's the table:

DocumentStatusLogs

ID DocumentID Status DateCreated
2 1 S1 7/29/2011
3 1 S2 7/30/2011
6 1 S1 8/02/2011
1 2 S1 7/28/2011
4 2 S2 7/30/2011
5 2 S3 8/01/2011
6 3 S1 8/02/2011

The table would be grouped by DocumentID and sorted by DateCreated in descending order. For each DocumentID, I want to get the latest status.

My preferred output:

DocumentID Status DateCreated
1 S1 8/02/2011
2 S3 8/01/2011
3 S1 8/02/2011

Is there any way to get only the top from each group using KQL?

The pseudo-code GetOnlyTheTop is as follows:

SELECT
  DocumentID,
  GetOnlyTheTop(Status),
  GetOnlyTheTop(DateCreated)
FROM DocumentStatusLogs
GROUP BY DocumentID
ORDER BY DateCreated DESC

Credit: Question adapted from DPP's SQL question: Get top 1 row of each group

cmomah
  • 165
  • 2
  • 9

1 Answers1

22

You can use the partition operator, or the arg_max() aggregation function.

For example:

DocumentStatusLogs
| partition by DocumentId
(
    top 1 by DateCreated desc
)

Or

DocumentStatusLogs
| summarize arg_max(DateCreated, *) by DocumentId
Yoni L.
  • 22,627
  • 2
  • 29
  • 48
  • I just realized that the `partition` operator was enhanced and now supports limitless partitions (and not just 64). Amazing improvement for KQL. Thanks Yoni! :-) – David דודו Markovitz Mar 25 '22 at 11:21
  • @DavidדודוMarkovitz - it does not actually. Just got the error message `partition operator: exceeded amount of maximum partitions allowed (64)` – cdrrr Jun 19 '23 at 08:45
  • as mentioned in [the documentation for the `partition` operator](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/partitionoperator), the limit on 64 partitions still exists for the Legacy strategy. you can use a different strategy (e.g. `native`) if required – Yoni L. Jun 19 '23 at 15:57