Filtering log by date

Hi, I can't seem to find the right syntax for this query: ProtectionStatus | summarize ThreatStatusRank = max(ThreatStatusRank) by Computer, Time = bin(todatetime(DateCollected), 10m) | summa...

Azure Log Analytics

azure monitor

Matthew Maguire

Jan 18, 2018

Hi, managed to get this working using the following:

ProtectionStatus
| where TimeGenerated > ago(1d)
| summarize ThreatStatusRank = max(ThreatStatusRank) by Computer, Time = bin(todatetime(DateCollected), 10m)
| summarize(Time, ThreatStatusRank) = argmax(Time, ThreatStatusRank) by Computer
| where ThreatStatusRank !in (150, 470)
| project Computer, Rank = ThreatStatusRank

Matthew Maguire

Copper Contributor

Jan 18, 2018

Hi, managed to get this working using the following:

ProtectionStatus
| where TimeGenerated > ago(1d)
| summarize ThreatStatusRank = max(ThreatStatusRank) by Computer, Time = bin(todatetime(DateCollected), 10m)
| summarize(Time, ThreatStatusRank) = argmax(Time, ThreatStatusRank) by Computer
| where ThreatStatusRank !in (150, 470)
| project Computer, Rank = ThreatStatusRank

Meir_Mendelovich

Microsoft

Jan 19, 2018

Yep, the time filter always have to come before summarize and it is recommended to come as the first condition.

Meir

Forum Discussion

Filtering log by date

Resources