Forum Discussion

Florian Wallny's avatar
Florian Wallny
Copper Contributor
Jun 08, 2018
Solved

next() function behaviour

Hi all, i have file server data in Log Analytics and i want to know when a file gets modified after remaining unchanged for a certain amount of days. What i have done is retrieving a list of files w...
azure monitor
Query Language
  • Noa Kuperberg's avatar
    Noa Kuperberg
    Jun 19, 2018

    I think I see what you mean, have encountered that before (we should really have a "nextif" function).

    This is what I do in such cases:

    let mod = SecurityEvent
| summarize count() by ObjectName
| where ObjectName like "." and count_ > 1;
SecurityEvent
| where ObjectName in (mod)
| project Filename=ObjectName, TimeGenerated
| sort by Filename asc, TimeGenerated desc
| extend NextFilename=next(Filename), NextTimeGenerated=next(TimeGenerated) 
| extend FollowingEventInSeconds = iff(Filename==NextFilename, tolong((TimeGenerated-NextTimeGenerated)/1s), -1)
| project Filename, FollowingEventInSeconds

    (Note that I've removed the AccessMask filter to match our demo data).

    What I do is add column to hold the next row's filename and time, and then calculate the time diff between with the next row only if it has the same file name. Otherwise, I put "-1" in it to indicate there is no following event to work with.

     

    The documentation is ok as far as I see, indeed sort() did the serialization so you don't need to.

Ketan Ghelani's avatar
Ketan Ghelani
Former Employee
Jun 19, 2018

Noa Kuperberg can update the docs.

You can still achieve the scenario correct.

 

a sample query here

SecurityEvent
| where ObjectName contains "root"
| where AccountType == "Machine"
| project ObjectName, TimeGenerated
| sort by ObjectName asc, TimeGenerated desc
| serialize
| extend timeDiffSeconds = (TimeGenerated - next(TimeGenerated))/1s
Noa Kuperberg's avatar
Noa Kuperberg
Icon for Microsoft rankMicrosoft
Jun 19, 2018

I think I see what you mean, have encountered that before (we should really have a "nextif" function).

This is what I do in such cases:

let mod = SecurityEvent
| summarize count() by ObjectName
| where ObjectName like "." and count_ > 1;
SecurityEvent
| where ObjectName in (mod)
| project Filename=ObjectName, TimeGenerated
| sort by Filename asc, TimeGenerated desc
| extend NextFilename=next(Filename), NextTimeGenerated=next(TimeGenerated) 
| extend FollowingEventInSeconds = iff(Filename==NextFilename, tolong((TimeGenerated-NextTimeGenerated)/1s), -1)
| project Filename, FollowingEventInSeconds

(Note that I've removed the AccessMask filter to match our demo data).

What I do is add column to hold the next row's filename and time, and then calculate the time diff between with the next row only if it has the same file name. Otherwise, I put "-1" in it to indicate there is no following event to work with.

 

The documentation is ok as far as I see, indeed sort() did the serialization so you don't need to.

  • Florian Wallny's avatar
    Florian Wallny
    Copper Contributor
    Jun 22, 2018

    Noa Kuperberg thanks, that helped!

    I agree that it might be useful to create an extendif function to enable contitioned calculated columns.