You might find it useful to create a list only of distinct values. This list is called a set, and you can generate it by using the makeset command: Event | where TimeGenerated > ago(12h) | order by TimeGenerated desc | summarize makeset(EventID) by Computer

I think that correct solution is to use summarize makeset(EventId) as makeset select distinct values. In question there is written: "You need to identify the distinct event IDs of each virtual machine as shown in the following table." and I think we cannot assume that eventId won't repeat in multiple logs.

In Whizlabs, the same question has the answer as count() instead of make_set()

Provided solution is correct

So the requirements is "You need to identify the distinct event IDs" take note the "distinct" and here is the difference between set and list List: A list is an ordered collection of elements, where duplicate values are allowed. The order of elements matters, and elements can be accessed by their index in the list. Lists allow duplicate values, so an element can appear multiple times in the same list. Set: A set is an unordered collection of distinct elements, meaning each element can occur only once. The order of elements does not matter in a set. Sets do not allow duplicate values, so each element can only appear once in the set. So that answer should be summarize makeset(EventId) by Computer

summarize and make_set make_list does not do distinct

says 'distinct' ... i'd use makeset

Both queries will return distinct event IDs for each virtual machine, but the way the event IDs are presented is different. The first query, "Event - | where TimeGenerated > ago(12h) | order by TimeGenerated desc | summarize makeset(EventID) by Computer" will return a set of distinct event IDs for each virtual machine, so it will eliminate the duplicate event IDs and will present the event IDs in an unordered format. The second query, "Event - | where TimeGenerated > ago(12h) | order by TimeGenerated desc | summarize makelist(EventID) by Computer" will return a list of all the event IDs for each virtual machine, including duplicates and will present the event IDs in an ordered format. So, it depends on the use case, if you want to identify the distinct events and eliminate the duplicates, it is better to use the first query. If you want to see all the events including the duplicates, it's better to use the second query.

make_set() (aggregation function) Creates a dynamic JSON array of the set of distinct values that Expr takes in the group. https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/makeset-aggfunction

makelist() has been deprecated in favor of make_list. The legacy version has a default MaxSize limit of 128.

https://docs.microsoft.com/fi-fi/azure/data-explorer/kusto/query/samples?pivots=azuremonitor answer is summarize makeset()

summary --> Makelist

Summarize / makeset(EventId). Came today 22 july 9

Summarise Makeset

summarize + makeset (for distinct) https://docs.microsoft.com/fr-fr/azure/data-explorer/kusto/query/makeset-aggfunction

|summarize makeset(EventID) by Computer ==> is correct answer as demonstrated Microsoft document : makelist generates a list in the order that data was passed into it. To sort events from oldest to newest, use asc in the order statement instead of desc. You might find it useful to create a list only of distinct values. This list is called a set, and you can generate it by using the makeset command: Kusto Kopioi Event | where TimeGenerated > ago(12h) | order by TimeGenerated desc | summarize makeset(EventID) by Computer

Summarize makeset(EventID) is the correct answer because we need to distinct the output values.