Spotlight lets you set up an analysis inside a query. You define a comparison set of events and compare it to the implicit baseline (the rest of the events in scope). Spotlight evaluates every field you pass in, scores differences, and returns the most informative contrasts. You use it when you want fast root-cause analysis, anomaly investigation, or pattern discovery without hand-rolling many ad-hoc aggregations. Spotlight is useful when you:
  • Investigate spikes or dips in a time series and want to know what changed
  • Explain why a subset of traces is slow or error-prone
  • Find which attributes distinguish suspicious requests from normal traffic
This page explains the Spotlight APL function. For more information about how Spotlight works in the Axiom Console, see Spotlight.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

Usage

Syntax

summarize spotlight(SelectionPredicate, Field1, Field2, ..., FieldN)
You use spotlight inside summarize. The first argument defines the comparison set. The remaining arguments list the fields to analyze.

Parameters

NameTypeDescription
SelectionPredicateBoolean expressionDefines the comparison set (selected cohort). Spotlight compares events where the predicate evaluates to true against the baseline (events where it evaluates to false) within the current query scope.
Field1 ... FieldNfield referencesOne or more fields to analyze. Include string or categorical fields (for proportions) and numeric or timespan fields (for distributional differences).

Returns

  • Bar charts for categorical fields (strings, Booleans)
  • Boxplots for numeric fields (integers, floats, timespans) with many distinct values

Use case examples

Find what distinguishes error responses from normal traffic in the last 15 minutes.Query
['sample-http-logs']
| where _time >= now(-15m)
| summarize spotlight(status startswith "5", ['geo.country'], ['geo.city'], method, uri, req_duration_ms)
Run in PlaygroundThis query keeps the last 15 minutes of traffic in scope and compares error responses to everything else. Spotlight ranks the strongest differences, pointing to endpoints, regions, and latency ranges associated with the errors.

Best practices

  • Keep the where scope broad enough that the baseline remains meaningful. Over-filtering reduces contrast.
  • Pass only fields that carry signal. Very high-cardinality identifiers can drown out more actionable attributes.
  • Include numeric fields like req_duration_ms or duration to let Spotlight detect distribution shifts, not just categorical skews.
  • where: Filters events before Spotlight runs. Use it to scope the time window or dataset; use spotlight to compare selected vs baseline inside that scope.
  • summarize: Runs aggregations over events. spotlight is an aggregation you call within summarize.
  • top: Returns the most frequent values. Use top for simple frequency counts; use spotlight to contrast a cohort against its baseline with lift and significance.
  • lookup: Enriches events with reference attributes. Use lookup to add context before running spotlight across enriched fields.