KQL Search

Query Details

HomeAI ToolsDevice Query

Lookback Query

Query

//Example of a lookback query

Heartbeat
| where TimeGenerated between (now(-2h) .. now())
//| summarize min(TimeGenerated), max(TimeGenerated)
| where Computer startswith "S"
| distinct Computer
//
// Now do the same for the past 14days minus the last 2 hours - this is key so we dont process the same data!!! 
//
| join kind=rightanti
 (
    Heartbeat
    | where TimeGenerated between (ago(14d) .. ago(2h))
    //| summarize min(TimeGenerated), max(TimeGenerated)
    | where Computer startswith "S"
    | distinct Computer
 ) on Computer​

Explanation

This query is looking for heartbeat data from computers whose names start with "S" in the last 2 hours. It then joins this data with heartbeat data from the past 14 days, excluding the last 2 hours, to ensure that the same data is not processed again. The final result will be a list of distinct computers whose names start with "S" in the past 14 days, excluding the last 2 hours.

Details

Rod Trent profile picture

Rod Trent

Released: November 1, 2022

Tables

Heartbeat

Keywords

Heartbeat,TimeGenerated,Computer,startswith,distinct,join,kind,rightanti,ago

Operators

wherebetweennowstartswithdistinctjoinkindrightantiago

Actions