Forum Discussion
OMS Query fixing
while running this Query I'm getting search and union error how to resolve this ?
for Alert agent stopped
Event | search "AL Agent" | search "stop*"
1 Reply
Doing a search is great to find some data but isn't good for a query in the long term. In example one below, we'd use search to find the "AL agent", I used limit to just get just ten random rows with that data (for testing, that should be enough). Then imagine you see that "AL Agent" is in the 'source' column you can then use a where operator to look at that specific value - see example two.
// example one
Event | search "AL Agent" | limit 10
// example two Event | where Source == "AL Agent" | limit 10You can then do the same to find out where "stop" occurs and then use that (in this pretend scenario lets assume its found in "Message":
Event | where Source == "AL Agent" and Message == "Stop" | limit 10
Tip, if you don't know what table a string is in, you can use this - which will shows what Tables (like: Events) the string appears in and the count. Use this sparingly as its very expensive (time and processing power), ideally over a small time window e.g. less than 24hrs.
search "Agent" | summarize count() by $table
