Forum Discussion

Anthony11's avatar
Anthony11
Copper Contributor
Mar 16, 2020

Azure Logs - Group query result by last event by computer

Hello,

 

I try to build a query that find the last state of a Windows service, for example 'WMI Performance Adapter' (See attached image).

 

I would like to get only the last event/service state for each computer but i cannot find the proper operators.

 

Thanks for help 🙂

 

 

  • Anthony11 

     

    This would be an example using arg_max

    Event
    | where EventID == 7036
    | summarize count(), last_record = arg_max(TimeGenerated, *) by Computer

     

  • Anthony11 

     

    This would be an example using arg_max

    Event
    | where EventID == 7036
    | summarize count(), last_record = arg_max(TimeGenerated, *) by Computer

     

Resources