Forum Discussion

Fraz_Khan's avatar
Fraz_Khan
Copper Contributor
Feb 05, 2020

KQL query for retrieving records

Hi, I am new to KQL and have been stuck at a certain query for quite sometime. Lets say we have table with various users and they execute some commands which has been recorded in log with the username and the time taken by the user to execute that command , so what i want to do is to retrieve the top 15 entries for each unique user according to the duration of time they have taken to execute the command which is greater than 2 minutes. Any help would be appreciated.

 

Thank you.

azure monitor
Query Language

1 Reply

  • CliveWatson's avatar
    CliveWatson
    Former Employee
    Feb 06, 2020

    Fraz_Khan 

     

    As you didn't mention the table, or show an example row of data, here is a generic example:

     

    Heartbeat
| summarize count() by Computer

    Which gets me, two columns (Like your User and Count columns you mentioned)

     
     

    Go to Log Analytics and run query (Demo data)

     
    Heartbeat
| summarize count() by Computer
| where count_ > 1000
| top 15 by count_ desc

     

     

    We'd then add a line to only show the values above 1000 (2mins in your example) and then the Top 15

     

    Example results (top 5) to keep it short

     

    Computer count_
    hardening-demo 2877
    ContosoJbFwJb 1441
    rancher-node-2 1441
    gangams-kind-k8s-cluster-master 1441
    ContosoAppSrv1 1441

     

    I don't know how the column that has "2 mins" is expressed, so you may need to turn it into a string or an integer first?

     

Resources