make_set

The make_set aggregation in APL (Axiom Processing Language) is used to collect unique values from a specific column into an array. It is useful when you want to reduce your data by grouping it and then retrieving all unique values for each group. This aggregation is valuable for tasks such as grouping logs, traces, or events by a common attribute and retrieving the unique values of a specific field for further analysis.

You can use make_set when you need to collect non-repeating values across rows within a group, such as finding all the unique HTTP methods in web server logs or unique trace IDs in telemetry data.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

Splunk SPL users

In Splunk SPL, the values function is similar to make_set in APL. The main difference is that while values returns all non-null values, make_set specifically returns only unique values and stores them in an array.

| stats values(method) by id

ANSI SQL users

In ANSI SQL, the GROUP_CONCAT or ARRAY_AGG(DISTINCT) functions are commonly used to aggregate unique values in a column. make_set in APL works similarly by aggregating distinct values from a specific column into an array, but it offers better performance for large datasets.

SELECT id, ARRAY_AGG(DISTINCT method) 
FROM sample_http_logs 
GROUP BY id;

Usage

Syntax

make_set(column, [limit])

Parameters

column: The column from which unique values are aggregated.
limit: (Optional) The maximum number of unique values to return. Defaults to 128 if not specified.

Returns

An array of unique values from the specified column.

Use case examples

In this use case, you want to collect all unique HTTP methods used by each user in the log data.

Query

['sample-http-logs']
| summarize make_set(method) by id

Run in Playground

Output

id	make_set_method
user123	[‘GET’, ‘POST’]
user456	[‘GET’]

This query groups the log entries by id and returns all unique HTTP methods used by each user.

In this use case, you want to collect all unique HTTP methods used by each user in the log data.

Query

['sample-http-logs']
| summarize make_set(method) by id

Run in Playground

Output

id	make_set_method
user123	[‘GET’, ‘POST’]
user456	[‘GET’]

This query groups the log entries by id and returns all unique HTTP methods used by each user.

In this use case, you want to gather the unique service names involved in a trace.

Query

['otel-demo-traces']
| summarize make_set(['service.name']) by trace_id

Run in Playground

Output

trace_id	make_set_service.name
traceA	[‘frontend’, ‘checkoutservice’]
traceB	[‘cartservice’]

This query groups the telemetry data by trace_id and collects the unique services involved in each trace.

In this use case, you want to collect all unique HTTP status codes for each country where the requests originated.

Query

['sample-http-logs']
| summarize make_set(status) by ['geo.country']

Run in Playground

Output

geo.country	make_set_status
USA	[‘200’, ‘404’]
UK	[‘200’]

This query collects all unique HTTP status codes returned for each country from which requests were made.

make_list: Similar to make_set, but returns all values, including duplicates, in a list. Use make_list if you want to preserve duplicates.
count: Counts the number of records in each group. Use count when you need the total count rather than the unique values.
dcount: Returns the distinct count of values in a column. Use dcount when you need the number of unique values, rather than an array of them.
max: Finds the maximum value in a group. Use max when you are interested in the largest value rather than collecting values.

make_list_if make_set_if

On this page

For users of other query languages
Usage
Syntax
Parameters
Returns
Use case examples
List of related aggregations

You can use make_set when you need to collect non-repeating values across rows within a group, such as finding all the unique HTTP methods in web server logs or unique trace IDs in telemetry data.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

Splunk SPL users

| stats values(method) by id

ANSI SQL users

SELECT id, ARRAY_AGG(DISTINCT method) 
FROM sample_http_logs 
GROUP BY id;

Usage

Syntax

make_set(column, [limit])

Parameters

column: The column from which unique values are aggregated.
limit: (Optional) The maximum number of unique values to return. Defaults to 128 if not specified.

Returns

An array of unique values from the specified column.

Use case examples

In this use case, you want to collect all unique HTTP methods used by each user in the log data.

Query

['sample-http-logs']
| summarize make_set(method) by id

Run in Playground

Output

id	make_set_method
user123	[‘GET’, ‘POST’]
user456	[‘GET’]

This query groups the log entries by id and returns all unique HTTP methods used by each user.

In this use case, you want to collect all unique HTTP methods used by each user in the log data.

Query

['sample-http-logs']
| summarize make_set(method) by id

Run in Playground

Output

id	make_set_method
user123	[‘GET’, ‘POST’]
user456	[‘GET’]

This query groups the log entries by id and returns all unique HTTP methods used by each user.

In this use case, you want to gather the unique service names involved in a trace.

Query

['otel-demo-traces']
| summarize make_set(['service.name']) by trace_id

Run in Playground

Output

trace_id	make_set_service.name
traceA	[‘frontend’, ‘checkoutservice’]
traceB	[‘cartservice’]

This query groups the telemetry data by trace_id and collects the unique services involved in each trace.

In this use case, you want to collect all unique HTTP status codes for each country where the requests originated.

Query

['sample-http-logs']
| summarize make_set(status) by ['geo.country']

Run in Playground

Output

geo.country	make_set_status
USA	[‘200’, ‘404’]
UK	[‘200’]

This query collects all unique HTTP status codes returned for each country from which requests were made.

make_list: Similar to make_set, but returns all values, including duplicates, in a list. Use make_list if you want to preserve duplicates.
count: Counts the number of records in each group. Use count when you need the total count rather than the unique values.
dcount: Returns the distinct count of values in a column. Use dcount when you need the number of unique values, rather than an array of them.
max: Finds the maximum value in a group. Use max when you are interested in the largest value rather than collecting values.

make_list_if make_set_if

On this page

For users of other query languages
Usage
Syntax
Parameters
Returns
Use case examples
List of related aggregations

For users of other query languages

Usage

Syntax

Parameters

Returns

Use case examples

Get started

Functions

Operators

Reference

Migration

make_set

For users of other query languages

Usage

Syntax

Parameters

Returns

Use case examples

​For users of other query languages

​Usage

​Syntax

​Parameters

​Returns

​Use case examples

​List of related aggregations

Get started

Functions

Operators

Reference

Migration

​For users of other query languages

​Usage

​Syntax

​Parameters

​Returns

​Use case examples

​List of related aggregations

For users of other query languages

Usage

Syntax

Parameters

Returns

Use case examples

List of related aggregations

For users of other query languages

Usage

Syntax

Parameters

Returns

Use case examples

List of related aggregations