Use the pack_dictionary function in APL to construct a dynamic property bag (dictionary) from a list of keys and values. The resulting dictionary maps each specified key to its corresponding value and allows you to store key-value pairs in a single column for downstream operations like serialization, custom grouping, or structured export.
pack_dictionary is especially useful when you want to:
- Create flexible data structures for export or transformation.
- Group dynamic sets of key-value metrics or attributes into a single column.
- Combine multiple scalar fields into a single dictionary for post-processing or output.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
While SPL doesn’t have a direct equivalent of pack_dictionary, you can simulate similar behavior using the eval command and mvzip or mvmap to construct composite objects. In APL, pack_dictionary is a simpler and more declarative way to produce key-value structures inline.
| extend dict = pack_dictionary('key1', value1, 'key2', value2)ANSI SQL lacks built-in support for dynamic dictionaries. You typically achieve similar functionality by manually assembling JSON strings or using vendor-specific extensions (like PostgreSQL’s jsonb_build_object). In contrast, APL provides a native and type-safe way to construct dictionaries using pack_dictionary.
| extend dict = pack_dictionary('key1', value1, 'key2', value2)Usage
Syntax
pack_dictionary(key1, value1, key2, value2, ...)Parameters
| Name | Type | Description |
|---|---|---|
| keyN | string |
A constant string that represents a dictionary key. |
| valueN | scalar |
A scalar value to associate with the corresponding key. |
- The number of arguments must be even.
- Keys must be constant strings.
- Values can be any scalar type.
Returns
A dynamic object that represents a dictionary where each key maps to its associated value.
Use case examples
Use pack_dictionary to store request metadata in a compact format for structured inspection or export.
Query
['sample-http-logs']
| extend request_info = pack_dictionary(
'method', method,
'uri', uri,
'status', status,
'duration', req_duration_ms
)
| project _time, id, request_infoOutput
| _time | id | request_info |
|---|---|---|
| 2025-06-18T14:35:00Z | user42 | { "method": "GET", "uri": "/home", "status": "200", "duration": 82 } |
This example creates a single request_info column that contains key HTTP request data as a dictionary, simplifying downstream analysis or visualization.
Use pack_dictionary to consolidate trace metadata into a structured format for export or debugging.
Query
['otel-demo-traces']
| extend trace_metadata = pack_dictionary(
'trace_id', trace_id,
'span_id', span_id,
'service', ['service.name'],
'kind', kind,
'status_code', status_code
)
| project _time, duration, trace_metadataOutput
| _time | duration | trace_metadata |
|---|---|---|
| 2025-06-18T14:40:00Z | 00:00:01 | { "trace_id": "abc123", "span_id": "def456", "service": "checkoutservice", "kind": "server", "status_code": "OK" } |
This query generates a trace_metadata column that organizes important trace identifiers and status into a single dynamic field.
Use pack_dictionary to package request metadata along with geographic information for audit logging or incident forensics.
Query
['sample-http-logs']
| extend geo_info = pack_dictionary(
'city', ['geo.city'],
'country', ['geo.country']
)
| extend request_info = pack_dictionary(
'method', method,
'uri', uri,
'status', status,
'geo', geo_info
)
| project _time, id, request_infoOutput
| _time | id | request_info |
|---|---|---|
| 2025-06-18T14:20:00Z | user88 | { "method": "POST", "uri": "/login", "status": "403", "geo": { "city": "Berlin", "country": "DE" } } |
This example nests geographic context inside the main dictionary to create a structured log suitable for security investigations.
List of related functions
- pack_array: Use this to combine scalar values into an array. Use
pack_arraywhen you don’t need named keys and want positional data instead. - bag_keys: Returns the list of keys in a dynamic dictionary. Use this to inspect or filter contents created by
pack_dictionary. - bag_pack: Expands a dictionary into multiple columns. Use it to revert the packing performed by
pack_dictionary.