question

choi dong geun avatar image
choi dong geun asked

how to use kql query

I want to collect logs and analyze them, so I'm getting ready


Microsoft is planning to use kql


For example, users recorded 50 logs a day


How should I use it when I want to have the largest or most recent value?

There are multiple query values for one user, but I want to leave only one unique value


I can't find out even if I look up the document, so I ask you a question

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
Xiao Zha avatar image
Xiao Zha answered

I suppose you store the logs in the event data of a custom event called “Logs” and you have a filed called Damage, if so, you may first find all events which called “Logs”, then specify the date range and set the aggregation method of the field you want to query. Below is the example:

//Get the max value
["events.all"]
// Specify event name
|where FullName_Name =="Logs" 
// Specify the time range in which the event occurred
|where Timestamp>make_datetime("2014-03-09T00:00:00Z") 
// Set the aggregation method of the field
|summarize maxdamage=max(EventData.object.Damage*1) 

//Get the latest value
["events.all"]
|where FullName_Name =="Logs"
|where Timestamp > make_datetime("2014-03-09T00:00:00Z")
// Specify the event originator
|where Entity_Id=="DB486D89866624F8" 
|top 1 by Timestamp desc nulls last

For more information please refer to the documentation.

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.