Forum Discussion
Expanding Alert Log Search Query
Glad I am helping, tkeller.
Regarding the low threshold, I am not sure I understood what you meant, but:
[I am also structuring the query better]
1) If you want to exclude hits/URLs counts less than 50
W3CIISLog
| where (Computer == "W9" or Computer == "W10") and cIP !startswith "10.0"
| summarize Hits=count() by cIP
| where Hits >= 600| join kind=inner (W3CIISLog | summarize UriHits = count() by cIP, csUriStem) on cIP
| project cIP, Hits, csUriStem, UriHits| where Hits > 50 and UriHits > 50| order by Hits desc, UriHits desc2) If you want just the topmost 50 cIP:
W3CIISLog
| where (Computer == "W9" or Computer == "W10") and cIP !startswith "10.0"
| summarize Hits=count() by cIP
| where Hits >= 600| order by Hits desc
| limit 50
| join kind=inner (W3CIISLog | summarize UriHits = count() by cIP, csUriStem) on cIP| project cIP, Hits, csUriStem, UriHits| order by Hits desc, UriHits desc// I don't think we can limit here further for UriHits results
MicrosoftGlad I am helping, tkeller.
Regarding the low threshold, I am not sure I understood what you meant, but:
[I am also structuring the query better]
1) If you want to exclude hits/URLs counts less than 50
W3CIISLog
| where (Computer == "W9" or Computer == "W10") and cIP !startswith "10.0"
| summarize Hits=count() by cIP
| where Hits >= 600
| join kind=inner (W3CIISLog | summarize UriHits = count() by cIP, csUriStem) on cIP
2) If you want just the topmost 50 cIP:
W3CIISLog
| where (Computer == "W9" or Computer == "W10") and cIP !startswith "10.0"
| summarize Hits=count() by cIP
| where Hits >= 600
| order by Hits desc
| limit 50
| join kind=inner (W3CIISLog | summarize UriHits = count() by cIP, csUriStem) on cIP