MicrosoftDocs
diff --git a/‎data-explorer/includes/cross-repo/fluent-bit-2.md‎
Lines changed: 67 additions & 27 deletions b/‎data-explorer/includes/cross-repo/fluent-bit-2.md‎
Lines changed: 67 additions & 27 deletions
diff --git a/‎data-explorer/kusto/query/arg-max-aggregation-function.md‎
Lines changed: 5 additions & 14 deletions b/‎data-explorer/kusto/query/arg-max-aggregation-function.md‎
Lines changed: 5 additions & 14 deletions
diff --git a/‎data-explorer/kusto/query/arg-min-aggregation-function.md‎
Lines changed: 3 additions & 11 deletions b/‎data-explorer/kusto/query/arg-min-aggregation-function.md‎
Lines changed: 3 additions & 11 deletions
diff --git a/‎data-explorer/kusto/query/array-iff-function.md‎
Lines changed: 5 additions & 3 deletions b/‎data-explorer/kusto/query/array-iff-function.md‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎data-explorer/kusto/query/beta-inv-function.md‎
Lines changed: 2 additions & 0 deletions b/‎data-explorer/kusto/query/beta-inv-function.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎data-explorer/kusto/query/consume-operator.md‎
Lines changed: 11 additions & 8 deletions b/‎data-explorer/kusto/query/consume-operator.md‎
Lines changed: 11 additions & 8 deletions
diff --git a/‎data-explorer/kusto/query/distinct-operator.md‎
Lines changed: 2 additions & 2 deletions b/‎data-explorer/kusto/query/distinct-operator.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎data-explorer/kusto/query/geo-s2cell-to-central-point-function.md‎
Lines changed: 2 additions & 0 deletions b/‎data-explorer/kusto/query/geo-s2cell-to-central-point-function.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎data-explorer/kusto/query/geo-s2cell-to-polygon-function.md‎
Lines changed: 3 additions & 1 deletion b/‎data-explorer/kusto/query/geo-s2cell-to-polygon-function.md‎
Lines changed: 3 additions & 1 deletion
@@ -74,18 +74,32 @@ To configure Fluent Bit to send logs to your table in Kusto, create a [classic m
 | tenant_id | The tenant ID from [Create a Microsoft Entra service principal](#create-a-microsoft-entra-service-principal). | :heavy_check_mark: |  |
 | client_id | The application ID from [Create a Microsoft Entra service principal](#create-a-microsoft-entra-service-principal). | :heavy_check_mark: |  |
 | client_secret | The client secret key value (password) from [Create a Microsoft Entra service principal](#create-a-microsoft-entra-service-principal). | :heavy_check_mark: |  |
+| managed_identity_client_id | The client ID of the managed identity to use for authentication. | :heavy_check_mark:  |  |
 | ingestion_endpoint | Enter the value as described for [Ingestion_Endpoint](#ingestion-uri). | :heavy_check_mark: |  |
 | database_name | The name of the database that contains your logs table. | :heavy_check_mark: |  |
 | table_name | The name of the table from [Create a target table](#create-a-target-table). | :heavy_check_mark: |  |
 | ingestion_mapping_reference | The name of the ingestion mapping from [Create a target table](#create-a-target-table). If you didn't create an ingestion mapping, remove the property from the configuration file. |  |  |
 | log_key | Key name of the log content. For instance, `log`. |  | `log` |
+| include_tag_key | If enabled, a tag is appended to output.|  | `On` |
 | tag_key | The key name of tag. Ignored if `include_tag_key` is false. |  | `tag` |
-| include_time_key | A timestamp is appended to output, if enabled. Uses the `time_key` property. |  | `true` |
+| include_time_key | A timestamp is appended to output, if enabled. Uses the `time_key` property. |  | `On` |
 | time_key | The key name for the timestamp in the log records. Ignored if `include_time_key` false. |  | `timestamp` |
-| ingestion_endpoint_connect_timeout | The connection timeout of various Kusto endpoints in seconds. |   | `60s` |
+| ingestion_endpoint_connect_timeout | The connection timeout of various Kusto endpoints in seconds. |   | `60` |
 | compression_enabled | Sends compressed HTTP payload (gzip) to Kusto, if enabled. |  | `true` |
-| ingestion_resources_refresh_interval | The ingestion resources refresh interval of Kusto endpoint in seconds. |  | `3600` |
+| ingestion_resources_refresh_interval | The ingestion resources refresh interval of Kusto endpoint in seconds. |  |  |
 | workers | The number of [workers](https://docs.fluentbit.io/manual/administration/multithreading#outputs) to perform flush operations for this output. |  | `0` |
+| buffering_enabled | If enabled, buffers data into disk before ingesting into Kusto. |  | `Off` |
+| buffer_path | Specifies the location of the directory where the buffered data will be stored if `buffering_enabled` is `On`. |  | `/tmp/fluent-bit/azure-kusto/` |
+| upload_timeout | Specifies the timeout for uploads if `buffering_enabled` is `On`. Files older than this are ingested even if below size limit. | | `30m` |
+| upload_file_size | Specifies the maximum size of a file to be uploaded if `buffering_enabled` is `On`. | | `200MB` |
+| azure_kusto_buffer_key | Azure Kusto buffer key to identify plugin instances when `buffering_enabled` is `On`. Required for multiple Azure Kusto outputs with buffering. |  | `key` |
+| store_dir_limit_size | The maximum size of the directory where buffered data is stored if `buffering_enabled` is `On`. |  | `8GB` |
+| buffer_file_delete_early| When `buffering_enabled` is `On`, whether to delete the buffered file early after successful blob creation. |  | `Off` |
+| unify_tag | Creates a single buffer file when `buffering_enabled` is `On`. | | `On` |
+| blob_uri_length | Set the length of generated blob URI before ingesting to Kusto. | | `64` |
+| scheduler_max_retries | When `buffering_enabled` is `On`, set the maximum number of retries for ingestion using the scheduler. | | `3` |
+| delete_on_max_upload_error | When `buffering_enabled` is `On`, whether to delete the buffer file on maximum upload errors. | | `Off` |
+| IO_timeout | Configure the HTTP IO timeout for uploads. | | `60s` |
 
 To see an example configuration file, select the relevant tab:
 
@@ -110,18 +124,31 @@ To see an example configuration file, select the relevant tab:
     Refresh_Interval 10
 
 [OUTPUT]
-    match *
-    name azure_kusto
-    tenant_id <TenantId>
-    client_id <ClientId>
-    client_secret <AppSecret>
-    ingestion_endpoint <IngestionEndpoint>
-    database_name <DatabaseName>
-    table_name <TableName>
-    ingestion_mapping_reference <MappingName>
-    ingestion_endpoint_connect_timeout <IngestionEndpointConnectTimeout>
-    compression_enabled <CompressionEnabled>
-    ingestion_resources_refresh_interval <IngestionResourcesRefreshInterval>
+    [OUTPUT]
+    Match *
+    Name azure_kusto
+    Tenant_Id <app_tenant_id>
+    Client_Id <app_client_id>
+    Client_Secret <app_secret>
+    Ingestion_Endpoint https://ingest-<cluster>.<region>.kusto.windows.net
+    Database_Name <database_name>
+    Table_Name <table_name>
+    Ingestion_Mapping_Reference <mapping_name>
+    ingestion_endpoint_connect_timeout <ingestion_endpoint_connect_timeout>
+    compression_enabled <compression_enabled>
+    ingestion_resources_refresh_interval <ingestion_resources_refresh_interval>
+    buffering_enabled On
+    upload_timeout 2m
+    upload_file_size 125M
+    azure_kusto_buffer_key kusto1
+    buffer_file_delete_early Off
+    unify_tag On
+    buffer_dir /var/log/
+    store_dir_limit_size 16GB
+    blob_uri_length 128
+    scheduler_max_retries 3
+    delete_on_max_upload_error Off
+    io_timeout 60s
 ```
 
 ### [YAML mode](#tab/yaml)
@@ -160,18 +187,31 @@ config:
 
   outputs: |
     [OUTPUT]
-        match *
-        name azure_kusto
-        tenant_id <TenantId>
-        client_id <ClientId>
-        client_secret <AppSecret>
-        ingestion_endpoint <IngestionEndpoint>
-        database_name <DatabaseName>
-        table_name <TableName>
-        ingestion_mapping_reference <MappingName>
-        ingestion_endpoint_connect_timeout <IngestionEndpointConnectTimeout>
-        compression_enabled <CompressionEnabled>
-        ingestion_resources_refresh_interval <IngestionResourcesRefreshInterval>
+        [OUTPUT]
+    Match *
+    Name azure_kusto
+    Tenant_Id <app_tenant_id>
+    Client_Id <app_client_id>
+    Client_Secret <app_secret>
+    Ingestion_Endpoint https://ingest-<cluster>.<region>.kusto.windows.net
+    Database_Name <database_name>
+    Table_Name <table_name>
+    Ingestion_Mapping_Reference <mapping_name>
+    ingestion_endpoint_connect_timeout <ingestion_endpoint_connect_timeout>
+    compression_enabled <compression_enabled>
+    ingestion_resources_refresh_interval <ingestion_resources_refresh_interval>
+    buffering_enabled On
+    upload_timeout 2m
+    upload_file_size 125M
+    azure_kusto_buffer_key kusto1
+    buffer_file_delete_early Off
+    unify_tag On
+    buffer_dir /var/log/
+    store_dir_limit_size 16GB
+    blob_uri_length 128
+    scheduler_max_retries 3
+    delete_on_max_upload_error Off
+    io_timeout 60s
 ```
 
 ---
 
@@ -37,6 +37,8 @@ Returns a row in the table that maximizes the specified expression *ExprToMaximi
 
 ## Examples
 
+### General examples
+
 The following example finds the maximum latitude of a storm event in each state.
 
 :::moniker range="azure-data-explorer"
@@ -67,7 +69,6 @@ The results table displays only the first 10 rows.
 | TEXAS                | 36.4607  | DARROUZETT           |
 | ...             | ...    | ...            |
 
-
 The following example finds the last time an event with a direct death happened in each state, showing all the columns.
 
 The query first filters the events to include only those events where there was at least one direct death. Then the query returns the entire row with the most recent `StartTime`.
@@ -101,7 +102,6 @@ The results table displays only the first 10 rows and first three columns.
 | LAKE MICHIGAN | 2007-06-07T13:00:00Z | 2007-06-07T13:00:00Z | ... |
 | ... | ... | ... | ... |
 
-
 The following example demonstrates null handling.
 
 :::moniker range="azure-data-explorer"
@@ -129,16 +129,11 @@ datatable(Fruit: string, Color: string, Version: int) [
 | Banana |  | Yellow |
 | Pear | 2 | Green |
 
-## Comparison to max()
+### Examples comparing arg_max() and max()
 
 The arg_max() function differs from the [max() function](max-aggregation-function.md). The arg_max() function allows you to return other columns along with the maximum value, and [max()](max-aggregation-function.md) only returns the maximum value itself.
 
-### Examples
-
-#### arg_max()
-
-The following example finds the last time an event with a direct death happened, showing all the columns in the table.
-
+The following example uses arg_max() to find the last time an event with a direct death happened in each state, showing all the columns.
 The query first filters the events to only include events where there was at least one direct death. Then the query returns the entire row with the most recent (maximum) StartTime.
 
 :::moniker range="azure-data-explorer"
@@ -158,11 +153,7 @@ The results table returns all the columns for the row containing the highest val
 |--|--|--|--|
 | 2007-12-31T15:00:00Z | 2007-12-31T15:00:00 | 	12688 | 69700 | UTAH | Avalanche | ... |
 
-#### max()
-
-Find the last time an event with a direct death happened.
-
-The query filters events to only include events where there is at least one direct death, and then returns the maximum value for StartTime.
+The following example uses the max() function to find the last time an event with a direct death happened in each state, but only returns the maximum value of StartTime.
 
 :::moniker range="azure-data-explorer"
 > [!div class="nextstepaction"]
 
@@ -41,7 +41,7 @@ Returns a row in the table that minimizes *ExprToMinimize*, and the values of co
 
 ## Examples
 
-Find the minimum latitude of a storm event in each state.
+The following example finds the maximum latitude of a storm event in each state.
 
 :::moniker range="azure-data-explorer"
 > [!div class="nextstepaction"]
@@ -137,11 +137,7 @@ The arg_min() function differs from the [min() function](min-aggregation-functio
 
 ### Examples
 
-#### arg_min()
-
-Find the first time an event with a direct death happened, showing all the columns in the table.
-
-The query first filters the events to only include those where there was at least one direct death. Then the query returns the entire row with the lowest value for StartTime.
+The following example uses arg_min() to find the last time an event with a direct death happened in each state, showing all the columns.
 
 :::moniker range="azure-data-explorer"
 > [!div class="nextstepaction"]
@@ -160,11 +156,7 @@ The results table returns all the columns for the row containing the lowest valu
 |--|--|--|--|
 | 2007-01-01T00:00:00Z | 2007-01-22T18:49:00Z | 2408 | 11929 | INDIANA | Flood | ... |
 
-#### min()
-
-Find the first time an event with a direct death happened.
-
-The query filters events to only include those where there is at least one direct death, and then returns the minimum value for StartTime.
+The following example uses the min() function to find the last time an event with a direct death happened in each state, but only returns the minimum value of StartTime.
 
 :::moniker range="azure-data-explorer"
 > [!div class="nextstepaction"]
 
@@ -40,6 +40,8 @@ Returns a dynamic array of the values taken either from the *when_true* or *when
 
 ## Examples
 
+The following example shows how to use the `array_iff()` function to evaluate elements in an array.
+
 :::moniker range="azure-data-explorer"
 > [!div class="nextstepaction"]
 > <a href="https://dataexplorer.azure.com/clusters/help/databases/Samples?query=H4sIAAAAAAAAAysoyswrUUjOz0vJLMnMz7NNqcxLzM1M1oguKSpN1UlLzClO1QExYzV1FHIQsoY6RjrGILEihJiJjqmOWaymAi9XjUJqRUlqXopCUWqxbWJRUWJlfGZmmgbcFqBRQJ2aACda2uZ8AAAA" target="_blank">Run the query</a>
@@ -56,7 +58,7 @@ print condition=dynamic([true,false,true]), if_true=dynamic([1,2,3]), if_false=d
 |---|---|---|---|
 |[true, false, true]|[1, 2, 3]|[4, 5, 6]|[1, 5, 3]|
 
-### Numeric condition values
+The following example shows how numeric condition values are treated as boolean values.
 
 :::moniker range="azure-data-explorer"
 > [!div class="nextstepaction"]
@@ -74,7 +76,7 @@ print condition=dynamic([1,0,50]), if_true="yes", if_false="no"
 |---|---|---|---|
 |[1, 0, 50]|yes|no|[yes, no, yes]|
 
-### Non-numeric and non-boolean condition values
+The following example shows how to use the `array_iff()` function with non-numeric and non-boolean condition values.
 
 :::moniker range="azure-data-explorer"
 > [!div class="nextstepaction"]
@@ -92,7 +94,7 @@ print condition=dynamic(["some string value", datetime("01-01-2022"), null]), if
 |---|---|---|---|
 |[true, false, true]|1|0|[null, null, null]|
 
-### Mismatched array lengths
+The following example shows how the function handles mismatched array lengths.
 
 :::moniker range="azure-data-explorer"
 > [!div class="nextstepaction"]
 
@@ -42,6 +42,8 @@ The inverse of the beta cumulative probability density function [beta_cdf()](bet
 
 ## Examples
 
+The following example shows how to use the `beta_inv()` function to return the inverse of the beta cumulative probability density function.
+
 :::moniker range="azure-data-explorer"
 > [!div class="nextstepaction"]
 > <a href="https://dataexplorer.azure.com/clusters/help/databases/Samples?query=H4sIAAAAAAAAA11PQQrCMBC85xVDTw3EkAheivYJPXoRkdQEDaRpsIko+HhDWiq4C8sOzOzOaBVz987UodFjyguDcuGuVtSb+APXcRiMj80UH9bfKDkR5BJcMkjBBcO2zOqonNWwPqRYscKRfPfHCWiRdW9rnJ7gk3MLtZybP9YbyQVdJcUZ7IQ9xKrsVFeRM/nAvKLxGj0OxfTF+mcdljhzDvoFBansKu8AAAA=" target="_blank">Run the query</a>
 
@@ -14,11 +14,8 @@ Consumes the tabular data stream handed to the operator.
 The `consume` operator is mostly used for triggering the query side-effect without actually returning
 the results back to the caller.
 
-The `consume` operator can be used for estimating the
-cost of a query without actually delivering the results back to the client.
-(The estimation isn't exact for various reasons; for example, `consume`
-is calculated distributively, so `T | consume` won't transmit the table's
-data between the nodes of the cluster.)
+The `consume` operator can be used for estimating the cost of a query without actually delivering the results back to the client.
+(The estimation isn't exact for various reasons; for example, `consume` is calculated distributively, so `T | consume` won't transmit the table's data between the nodes of the cluster.)
 
 ## Syntax
 
@@ -32,9 +29,13 @@ data between the nodes of the cluster.)
 |--|--|--|--|
 | *DecodeBlocks* | `bool` | | If set to `true`, or if the request property `perftrace` is set to `true`, the `consume` operator won't just enumerate the records at its input, but actually force each value in those records to be decompressed and decoded.|
 
-## Example
+### Returns
 
-The following example consumes the results of a query without returning any data to the client.
+The `consume` operator returns the same tabular data stream as its input, but it doesn't return the data to the client.
+
+## Examples
+
+The following example shows how to use the `consume` operator to trigger the query side-effect without actually returning the results back to the caller.
 
 :::moniker range="azure-data-explorer"
 > [!div class="nextstepaction"]
@@ -47,5 +48,7 @@ StormEvents
 | consume
 ```
 
+In this example, the query filters the `StormEvents` table for rows where the `State` is "TEXAS" and then applies the `consume` operator. The data is processed, but no results are returned to the client.
+
 **Output**
-No rows to show.
+The results table is empty, as the `consume` operator does not return any data to the client.
@@ -28,9 +28,9 @@ Produces a table with the distinct combination of the provided columns of the in
 > [!NOTE]
 > The `distinct` operator supports providing an asterisk `*` as the group key to denote all columns, which is helpful for wide tables.
 
-## Example
+## Examples
 
-Shows distinct combination of states and type of events that led to over 45 direct injuries.
+The following example shows how to use the `distinct` operator to create a table with the distinct combination of the columns of the input table.
 
 :::moniker range="azure-data-explorer"
 > [!div class="nextstepaction"]
 
@@ -34,6 +34,8 @@ The geospatial coordinate values in [GeoJSON Format](https://tools.ietf.org/html
 
 ## Examples
 
+The following example calculates the geospatial coordinates that represent the center of an S2 cell.
+
 :::moniker range="azure-data-explorer"
 > [!div class="nextstepaction"]
 > <a href="https://dataexplorer.azure.com/clusters/help/databases/Samples?query=H4sIAAAAAAAAAysoyswrUSjIB5G2Cump+fHFRsmpOTnxJfnxyal5JUWJOfFgWQ0lQyNjE1MzcyVNrhqF1IqS1LwUheT8/KKUzLzEktRioG6wOj0kMYTCnPy89MyS0pRUoDIkBdEGsToKOYkl2KQMYwEypEkCnAAAAA==" target="_blank">Run the query</a>
 
@@ -9,7 +9,7 @@ ms.date: 08/11/2024
 
 > [!INCLUDE [applies](../includes/applies-to-version/applies.md)] [!INCLUDE [fabric](../includes/applies-to-version/fabric.md)] [!INCLUDE [azure-data-explorer](../includes/applies-to-version/azure-data-explorer.md)] [!INCLUDE [monitor](../includes/applies-to-version/monitor.md)] [!INCLUDE [sentinel](../includes/applies-to-version/sentinel.md)]
 
-Calculates the polygon that represents the S2 Cell rectangular area. 
+Calculates the polygon that represents the S2 Cell rectangular area.
 
 Read more about [S2 Cells](http://s2geometry.io/devguide/s2cell_hierarchy).
 
@@ -34,6 +34,8 @@ Polygon in [GeoJSON Format](https://tools.ietf.org/html/rfc7946) and of a [dynam
 
 ## Examples
 
+The following example calculates the polygon that represents the S2 Cell rectangular area.
+
 :::moniker range="azure-data-explorer"
 > [!div class="nextstepaction"]
 > <a href="https://dataexplorer.azure.com/clusters/help/databases/Samples?query=H4sIAAAAAAAAAysoyswrUSg2Sk7NyQnIz6lMz89TsFVIT82Ph4jFl+THF0DENZQsLJONTC2VNAF6g4+NNQAAAA==" target="_blank">Run the query</a>