fork operator

Runs multiple consumer operators in parallel.

Syntax

T | fork [name=](subquery) [name=](subquery) ...

Arguments

  • subquery is a downstream pipeline of query operators
  • name is a temporary name for the subquery result table

Returns

Multiple result tables, one for each of the subqueries.

Supported Operators

as, count, extend, parse, where, take, project, project-away, project-keep, project-rename, project-reorder, summarize, top, top-nested, sort, mv-expand, reduce

Notes

  • materialize function can be used as a replacement for using join or union on fork legs. The input stream will be cached by materialize and then the cached expression can be used in join/union legs.

  • A name, given by the name argument or by using as operator will be used as the to name the result tab in Kusto.Explorer tool.

  • Avoid using fork with a single subquery.

  • Prefer using batch with materialize of tabular expression statements over fork operator.

Examples

KustoLogs
| where Timestamp > ago(1h)
| fork
    ( where Level == "Error" | project EventText | limit 100 )
    ( project Timestamp, EventText | top 1000 by Timestamp desc)
    ( summarize min(Timestamp), max(Timestamp) by ActivityID )

// In the following examples the result tables will be named: Errors, EventsTexts and TimeRangePerActivityID
KustoLogs
| where Timestamp > ago(1h)
| fork
    ( where Level == "Error" | project EventText | limit 100 | as Errors )
    ( project Timestamp, EventText | top 1000 by Timestamp desc | as EventsTexts )
    ( summarize min(Timestamp), max(Timestamp) by ActivityID | as TimeRangePerActivityID )

 KustoLogs
| where Timestamp > ago(1h)
| fork
    Errors = ( where Level == "Error" | project EventText | limit 100 )
    EventsTexts = ( project Timestamp, EventText | top 1000 by Timestamp desc )
    TimeRangePerActivityID = ( summarize min(Timestamp), max(Timestamp) by ActivityID )

This capability isn't supported in Azure Monitor