fork operator
Runs multiple consumer operators in parallel.
Syntax
T | fork [name=](subquery) [name=](subquery) ...
Arguments
- subquery is a downstream pipeline of query operators
- name is a temporary name for the subquery result table
Returns
Multiple result tables, one for each of the subqueries.
Supported Operators
as, count, extend, parse, where, take, project, project-away, project-keep, project-rename, project-reorder, summarize, top, top-nested, sort, mv-expand, reduce
Notes
materializefunction can be used as a replacement for usingjoinorunionon fork legs. The input stream will be cached by materialize and then the cached expression can be used in join/union legs.A name, given by the
nameargument or by usingasoperator will be used as the to name the result tab inKusto.Explorertool.Avoid using
forkwith a single subquery.Prefer using batch with
materializeof tabular expression statements overforkoperator.
Examples
In the following example, the result tables will be named "GenericResult", "GenericResult_2" and "GenericResult_3":
KustoLogs
| where Timestamp > ago(1h)
| fork
( where Level == "Error" | project EventText | limit 100 )
( project Timestamp, EventText | top 1000 by Timestamp desc)
( summarize min(Timestamp), max(Timestamp) by ActivityID )
In the following examples, the result tables will be named "Errors", "EventsTexts" and "TimeRangePerActivityID":
KustoLogs
| where Timestamp > ago(1h)
| fork
( where Level == "Error" | project EventText | limit 100 | as Errors )
( project Timestamp, EventText | top 1000 by Timestamp desc | as EventsTexts )
( summarize min(Timestamp), max(Timestamp) by ActivityID | as TimeRangePerActivityID )
KustoLogs
| where Timestamp > ago(1h)
| fork
Errors = ( where Level == "Error" | project EventText | limit 100 )
EventsTexts = ( project Timestamp, EventText | top 1000 by Timestamp desc )
TimeRangePerActivityID = ( summarize min(Timestamp), max(Timestamp) by ActivityID )
This capability isn't supported in Azure Monitor
Feedback
Submit and view feedback for