Query Details
Dataparser
Query
MyCustomCSVLog_CL | extend CSVFields = split(RawData, ',') | extend EventTime = todatetime(CSVFields[0]) | extend Code = toint(CSVFields[1]) | extend Status = tostring(CSVFields[2]) | extend Message = tostring(CSVFields[3]) | where getyear(EventTime) == 2018 | summarize count() by Status,Code
Explanation
This query takes a custom CSV log called "MyCustomCSVLog_CL" and splits the raw data into separate fields using commas as delimiters. It then converts the first field into a datetime value, the second field into an integer value, and the third and fourth fields into string values.
Next, it filters the results to only include events that occurred in the year 2018. Finally, it summarizes the count of events for each unique combination of status and code.
Details
Rod Trent
Released: May 12, 2020
Tables
MyCustomCSVLog_CL
Keywords
Devices,Intune,User
Operators
|,extend,split,todatetime,toint,tostring,where,getyear,summarize,count()