Query Details
Anomalies
Query
let endTime = now();
let startTime = ago(1d);
let emptyTableAnoamliesVolume = datatable(TimeGenerated:datetime, RecordCount:int)[];
emptyTableAnoamliesVolume
| union isfuzzy=true
( Anomalies
| where TimeGenerated between (StartTimeAnomalies..EndTimeAnomalies)
| make-series RecordCount = count() default=0 on TimeGenerated from StartTimeAnomalies to EndTimeAnomalies step 4h
| mv-expand RecordCount to typeof(int), TimeGenerated to typeof(datetime))
| project Result = pack_all()
Explanation
The query is calculating the volume of anomalies in a table over a specific time period. It uses the "Anomalies" table and aggregates the number of records in each time interval. The result is then projected as a pack.
Details
Rod Trent
Released: June 15, 2023
Tables
Anomalies
Keywords
Devices,Intune,User,Anomalies,TimeGenerated,RecordCount,StartTimeAnomalies,EndTimeAnomalies,Result
Operators
unionisfuzzywherebetweenmake-seriescount()default=0onstepmv-expandtoprojectpack_all()