Forum Discussion

Dimitri Artemov's avatar
Dimitri Artemov
Former Employee
Nov 01, 2021

AzureActivity - When my cosmos account was actually deleted?

Hello, If I run below TQL AzureActivity | where TimeGenerated > ago(24h) | where OperationNameValue has "MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/DELETE" | where  ActivityStatusValue == "Succe...
azure monitor
CliveWatson's avatar
CliveWatson
Former Employee
Nov 01, 2021

Dimitri Artemov 

 

To help with these I use the (little known) "Group Columns" feature, then drag and drop a column heading, you can then simply scroll to teh right to see what maybe different in each column  (or drag and drop other columns into the group).

Ultimately many solutions log multiple rows, often looking almost the same apart from the timestamp.  
Myself I'd use arg_max to see the last row from each 


...
| extend p=parse_json(Properties)
| extend ResourceDeleted=split(_ResourceId, "/", 8)[0]
| summarize arg_max(TimeGenerated,*) by OperationNameValue

Note: You can replace the "*" with specific named columns e.g.
| summarize arg_max(TimeGenerated,OperationNameValueActivityStatusValueResourceDeleted) by OperationNameValue


Resources