Query Details
Total Volume
Query
let endTime = now(); let startTime = ago(2d); search * | where TimeGenerated between (startTime..endTime) | make-series RecordCount = count() default=0 on TimeGenerated from startTime to endTime step 4h | mv-expand RecordCount to typeof(int), TimeGenerated to typeof(datetime) | project Result = pack_all()
Explanation
The query is searching for all records within the last 2 days. It then groups the records into 4-hour intervals and counts the number of records in each interval. Finally, it expands the results and projects them in a specific format.
Details
Rod Trent
Released: June 15, 2023
Tables
search
Keywords
Devices,Intune,User
Operators
searchwheremake-seriescount()default=0onfromtostepmv-expandprojectpack_all()