The make_list aggregation function in Axiom Processing Language (APL) collects all values from a specified column into a dynamic array for each group of rows in a dataset. This aggregation is particularly useful when you want to consolidate multiple values from distinct rows into a single grouped result.
For example, if you have multiple log entries for a particular user, you can use make_list to gather all request URIs accessed by that user into a single list. You can also apply make_list to various contexts, such as trace aggregation, log analysis, or security monitoring, where collating related events into a compact form is needed.
Key uses of make_list:
- Consolidating values from multiple rows into a list per group.
- Summarizing activity (for example, list all HTTP requests by a user).
- Generating traces or timelines from distributed logs.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, the make_list equivalent is values or mvlist, which gathers multiple values into a multivalue field. In APL, make_list behaves similarly by collecting values from rows into a dynamic array.
['sample-http-logs']
| summarize uris=make_list(uri) by idIn ANSI SQL, the make_list function is similar to ARRAY_AGG, which aggregates column values into an array for each group. In APL, make_list performs the same role, grouping the column values into a dynamic array.
['sample-http-logs']
| summarize uris=make_list(uri) by idUsage
Syntax
make_list(column)Parameters
column: The name of the column to collect into a list.
Returns
The make_list function returns a dynamic array that contains all values of the specified column for each group of rows.
Use case examples
In log analysis, make_list is useful for collecting all URIs a user has accessed in a session. This can help in identifying browsing patterns or tracking user activity.
Query
['sample-http-logs']
| summarize uris=make_list(uri) by idOutput
| id | uris |
|---|---|
| user123 | [‘/home’, ‘/profile’, ‘/cart’] |
| user456 | [‘/search’, ‘/checkout’, ‘/pay’] |
This query collects all URIs accessed by each user, providing a compact view of user activity in the logs.
In OpenTelemetry traces, make_list can help in gathering the list of services involved in a trace by consolidating all service names related to a trace ID.
Query
['otel-demo-traces']
| summarize services=make_list(['service.name']) by trace_idOutput
| trace_id | services |
|---|---|
| trace_a | [‘frontend’, ‘cartservice’, ‘checkoutservice’] |
| trace_b | [‘productcatalogservice’, ‘loadgenerator’] |
This query aggregates all service names associated with a particular trace, helping trace spans across different services.
In security logs, make_list is useful for collecting all IPs or cities from where a user has initiated requests, aiding in detecting anomalies or patterns.
Query
['sample-http-logs']
| summarize cities=make_list(['geo.city']) by idOutput
| id | cities |
|---|---|
| user123 | [‘New York’, ‘Los Angeles’] |
| user456 | [‘Berlin’, ‘London’] |
This query collects the cities from which each user has made HTTP requests, useful for geographical analysis or anomaly detection.
List of related aggregations
- make_set: Similar to
make_list, but only unique values are collected in the set. Usemake_setwhen duplicates aren’t relevant. - count: Returns the count of rows in each group. Use this instead of
make_listwhen you’re interested in row totals rather than individual values. - max: Aggregates values by returning the maximum value from each group. Useful for numeric comparison across rows.
- dcount: Returns the distinct count of values for each group. Use this when you need unique value counts instead of listing them.