Query Details
Data Ingestion Not Happening
Query
//Replace the table name with the name you want to track. Create an Analytics Rule and be notified if a table has not received new data in the last 3 days.
//Seconds calculation for last_log is 60 x 60 x 24 x 3 = 259200
//Make sure to set the Lookback to 14 days
HuntingBookmark
| where TimeGenerated > ago(30d)
| summarize last_log = datetime_diff("second",now(), max(TimeGenerated))
| where last_log >= 259200
Explanation
This query is used to track a specific table and be notified if it has not received new data in the last 3 days. It calculates the time difference between the current time and the maximum time generated for the table. If the time difference is greater than or equal to 259200 seconds (3 days), it triggers a notification. The query also sets the lookback period to 14 days.
Details
Rod Trent
Released: October 21, 2020
Tables
HuntingBookmark
Keywords
Devices,Intune,User
Operators
wheresummarizedatetime_diffnow()max()ago()>=