I am trying to convert the below Splunk query to Kusto.
| eval result=if(Match(Status,"Success|Passed"), "succeess","failed")
Below is the example from Kusto that is not clear . How do I modify this Kusto example as per the above Splunk Query pls. Thanks
| extend day = iff(floor(Timestamp, 1d)==floor(now(), 1d), "today", "anotherday")
You could try this:
...
| summarize success = countif(Status in ("Success", "Passed")), total = count()
| project success, failure = total - success
in case the values in the column named Status can have different casing, you can use in~()
in case the values in the column named Status are longer strings, which you want to look for substring in, you can use, for example: Status contains "Success" or Status contains "Passed"
Related
I am trying to identify shared mailboxes that aren't in use. Checked "Search-MailboxAuditLog" already and some mailboxes do not return any results even tho auditing enabled, but can see activity in Azure sentinel.
Is there a way to improve below Kusto code? (During testing tried mailboxes with activities but sometimes do not get any results from the query)
With Kusto, Is there a way to loop through "mbs" like powershell "foreach ( $item in $mbs)"?
Thanks,
let mbs = datatable (name: string)
[
"xxx1#something.com",
"xxx2#something.com",
"xxx3#something.com",
];
OfficeActivity
| where OfficeWorkload == "Exchange" and TimeGenerated > ago(30d)
| where MailboxOwnerUPN in~ (mbs)
| distinct MailboxOwnerUPN
Update : Need help with the query
Input would be list of shared mailbox UPNs
Output would be list of shared mailboxes with any activity, example MBs with any action in “Operation" filed
"in" doesn't work on datatables (tabular inputs) like that; it is not a "filter", it is an "operator". The "where" is effectively the "foreach" you are referring to.
Given the sample input, the query could probably be written as:
OfficeActivity //tabular input with many records
| TimeGenerated > ago(30d) //Filter records to window of interest first
| where OfficeWorkload == "Exchange" //foreach row
| where MailboxOwnerUPN in~ ( //foreach row
"xxx1#something.com","xxx2#something.com","xxx3#something.com"
)
| distinct MailboxOwnerUPN
You can see it in the docs at https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/inoperator#arguments where "col" is the "column to filter"
I have a table 'Incident' and I'm trying to get count of all incidents resolved in the last 12 months based on 'Resolved_at' column which is of type 'String'.
I used the below query on Kusto:
Incident
| where resolved_at >= datetime_add('month',1,make_datetime(2020,1,1))
| project resolved_at , severity , number
But I'm getting this error:
Semantic error:...has the following semantic error: Cannot compare values of types string and datetime. Try adding explicit casts.
Please suggest.
Try todatetime(), for example the following will return true:
todatetime("2020-12-24") == datetime(2020-12-24)
I am unable to set a scalar date value from a query to a local variable. I get the following error:
SYNTAX ERROR
No tabular expression statement found
Query:
let startTime = toscalar(customMetrics
| where timestamp > ago(1d)
| summarize min(timestamp));
I get a result just fine when running just the query:
What am I doing wrong?
You'd need to execute a statement/query with this function, otherwise it's just a function definition that does not get called. The easiest one is print command, but you can also invoke the function within some query:
let startTime = toscalar(customMetrics
| where timestamp > ago(10m)
| summarize min(timestamp));
print startTime
I am referring sqlcheatsheet - Nested queries
Query 1:
traces
| where customDimensions.Domain == "someDomain"
| where message contains "some-text"
| project itemId=substring(itemId,indexof(itemId,"-"),strlen(itemId))
Result :
itemId
-c580-11e9-888a-8776d3f65945
-c580-11e9-888a-8776d3f65945
-c580-11e9-9b01-c3be0f4a2bf2
Query 2:
traces
| where customDimensions.Domain == "someDomain"
| where itemId has toscalar(
traces
| where customDimensions.Domain == "someDomain"
| where message contains "some-text"
| project itemId=substring(itemId,indexof(itemId,"-"),strlen(itemId)))
Result for the second query returns records matching only last record of sub query
ie:) > -c580-11e9-9b01-c3be0f4a2bf2
Question :
How get entire result set that has matching with all the three items.
My requirement is to take entire sequence of logs for a particular request.
To get that I have below inputs, I could able to take one log, from that I can find ItemId
The itemId looks like "b5066283-c7ea-11e9-9e9b-2ff40863cba4". Rest of all logs related to this request must have "-c7ea-11e9-9e9b-2ff40863cba4" this value. Only first part will get incremented like b5066284 , b5066285, b5066286 like that.
toscalar(), as its name implies, returns a scalar value.
Given a tabular argument with N columns and M rows it'll return the value in the 1st column and the 1st row.
For example: the following will return a single value - 1
let T = datatable(a:int, b:int, c:int)
[
1,2,3,
4,5,6,
7,8,9,
]
;
print toscalar(T)
If I understand the intention in your 2nd query correctly, you should be able to achieve your requirement by using has_any.
For example:
let T = datatable(item_id:string)
[
"c580-11e9-888a-8776d3f65945",
"c580-11e9-888a-8776d3f65945",
"c580-11e9-9b01-c3be0f4a2bf2",
]
;
T
| where item_id has_any (
(
T
| parse item_id with * "-" item_id
)
)
I have data in azure Insights saved in custom events formats. These custom events has data like Name , Email, Title
There can be multiple rows with the same email.
Now I want data to be grouped by email so that I can get Name, Email, Title. means need to fetch data of unique emails.
I tries to use like
customEvents
| summarize by tostring(customDimensions["email"])
But its returning me only email . Now how I can get another columns?
even
| project customDimensions["email"], customDimensions["name"]
,customDimensions["title"]
not working
I have three columns in azure insights. Customdata has a string value column and and a json string of data stored in it.
ID TimeStamp Customdata
1 21-12-2018 "{email:"xyz#xyz.com", name:"james",title: "Dev"}"
1 21-12-2018 "{email:"abc#abc.com", name:"Will",title: "Tester"}"
1 21-12-2018 "{email:"xyz#xyz.com", name:"james",title: "Dev"}"
1 21-12-2018 "{email:"xyz#xyz.com", name:"Happy",title:"Developer"}"
1 21-12-2018 "{email:"xyz#xyz.com", name:"JOhn",title: "Developer"}"
Now I need a query that can return
Email Name Title CountOfRecords
xyz#xyz.com James Dev 2
abc#abc.com Will Tester 1
help me here to write the query.
Try the query below(please point me out if I misunderstand you):
data source like below:
The query(please adjust the where sentence as per your need):
customEvents
| where timestamp >ago(1d)
| where name == "w1"
| summarize CountOfRecords = count() by Email = tostring(customDimensions["email"]), Name=tostring(customDimensions["name"]),Title=tostring(customDimensions["title"])
The test result: