Query Details
Event Volume Per Table
Query
//Event volume per table. Change OfficeActivity to the table you want to query against. let Now = now(); (range TimeGenerated from ago(14d) to Now-1d step 1d | extend Count = 0 | union isfuzzy=true( OfficeActivity | summarize Count = count() by bin_at(TimeGenerated, 1d, Now) ) | summarize Count=max(Count) by bin_at(TimeGenerated, 1d, Now) | sort by TimeGenerated | project Value = iff(isnull(Count), 0, Count), Time = TimeGenerated, Legend = "Events") | render timechart
Explanation
This query calculates the event volume per day for a specific table (OfficeActivity). It uses a time range of the past 14 days and groups the events by day. The result is a time chart showing the count of events per day. If there are no events on a particular day, the count will be shown as 0.
Details
Rod Trent
Released: September 1, 2020
Tables
OfficeActivity
Keywords
Devices,Intune,User,OfficeActivity,TimeGenerated,Count,Legend,Value
Operators
rangeTimeGeneratedagostepextendunionisfuzzyOfficeActivitysummarizecountbybin_atNowmaxsortprojectiffisnullrendertimechart