KQL Search

Query Details

HomeAI ToolsDevice Query

Log Sources

Query

//Get the active log sources

set maxoutputcolumns=5000;   //Last seen
union withsource=TableName1 *
| summarize arg_min(TimeGenerated, *) by TableName1 

//Get the count of active log sources
set maxoutputcolumns=5000;   //Actvice tables count
union withsource=TableName1 *
| where TimeGenerated > ago(30min)
| summarize arg_max(TimeGenerated, *) by TableName1 
| count

Explanation

This query is trying to find the active log sources and count the number of active log sources.

To find the active log sources, it is retrieving data from a table called TableName1 and using the "union" operator to combine the data with the "*" wildcard to select all columns. It then uses the "summarize" function with the "arg_min" operator to find the earliest TimeGenerated value for each TableName1. To count the active log sources, it follows a similar process but adds a filter to only include data where the TimeGenerated is within the last 30 minutes. It then uses the "arg_max" operator to find the latest TimeGenerated value for each TableName1 and finally counts the number of results.

Details

Rod Trent profile picture

Rod Trent

Released: October 11, 2022

Tables

TableName1

Keywords

Active,Log,Sources,MaxOutputColumns,Union,WithSource,TableName1,Summarize,Arg_min,TimeGenerated,Count,Ago,30min,Arg_max

Operators

setmaxoutputcolumnsunionwithsourcesummarizearg_minbywhereTimeGeneratedagosummarizearg_maxcount

Actions