Forum Discussion
Azure Log analytics
Note: https://docs.microsoft.com/en-us/azure/kusto/query/makeset-aggfunction you should always use make_set or make_list which have replaced makeset and makelist as the older functions have a 128 limit.
Make_set is probably the one to use - as it "Returns a
dynamic(JSON) array of the set of distinct values that Expr takes in the group."The aim here is to get the row (record) count below 10,000, then you know you have all the data, if you have 441 then all should be ok. Also look out for the 500 column limit, but I think you are a long way from that.
Note: https://docs.microsoft.com/en-us/azure/kusto/query/makeset-aggfunction you should always use make_set or make_list which have replaced makeset and makelist as the older functions have a 128 limit.
Make_set is probably the one to use - as it "Returns a dynamic (JSON) array of the set of distinct values that Expr takes in the group."
The aim here is to get the row (record) count below 10,000, then you know you have all the data, if you have 441 then all should be ok. Also look out for the 500 column limit, but I think you are a long way from that.
- Clive, I wonder if you can help me with this question. When I do the below query I get strange results? In other words, if I set my timeframe for 24hrs, or 7 days, or custom (15 days) my numbers keep changing. I'm not sure I feel confident with any of these number right now. Am I looking at Log Analytics incorrectly? I want a list of all PC's that have this add-in, which will be in excess of 12,000, so I limit my scope to fewer geographic locations as you suggested the other day and I still get inconsistent numbers based on the Time Range I select? search in (UAOfficeAddIn) OfficeAddInName == "Microsoft VBA for Outlook Addin" | where Computer !contains "US" and Computer !contains "GB" and Computer !contains "SG" |order by Computer
Are the number massively out? I suspect it maybe run to run differences, as when you ask to see the past 7days it does just that, from the moment you run the query to the same time 7days ago. As the hours/minutes change so does the results.
We can fix that with a fixed window of time, in the case below (line #2), I added a midnight to midnight clause using the startofday function, e.g. midnight 7days ago to midnight yesterday.
UAOfficeAddIn | where TimeGenerated > startofday(ago(7d)) and TimeGenerated < startofday(now()) | where OfficeAddInName == "Microsoft VBA for Outlook Addin" | where Computer !contains "US" and Computer !contains "GB" and Computer !contains "SG" |order by ComputerGo to Log Analytics and Run Query
Let me know if that helps?
If you look at lots of my queries on my blog, I often use startofday for this reason
// with just a fixed startpoint
| where TimeGenerated > startofday(ago(7d))// or with a fixed start and end
| where TimeGenerated > startofday(ago(7d)) // and TimeGenerated < startofday(now())- Thanks Clive, I tried that and I still get strange outputs. I do see 5 entries for one PC barcode that lists 2019-08-16T08.00.00.00 then 2019-08-15T08.00.00.00 then 2019-08-17T08.00.00.00 So The further back in time I go, the more redundancy I see for more and more PC's. if I use the 24hour default, I do not see an entire fleet, which should be around 15,000 or so. I instead get 1,594