Forum Discussion

pho30's avatar
pho30
Copper Contributor
Jan 29, 2018

Sum Count of 2 different custom fields

Hello,   I would like to sum two custom fields I created for failed logins in linux. Each field extracts a user name based on similar events (2 separate events though) and then I want to have a c...
azure monitor
Query Language
Meir_Mendelovich's avatar
Meir_Mendelovich
Icon for Microsoft rankMicrosoft
Feb 01, 2018

Hi,

 

Other than the elegant solution that Evgeny proposed, I have few other comments on your query:

  • Try to make the time where condition the first filter in the query. In your query it comes after a very complex filter: | where TimeGenerated > now(-7d)
  •  It is more efficient to filter before the summarize than after the summarize.
  • Other than the new coalesce() function, there is the more flexible condition functions like: iif() and case()

 

Thanks,

Meir

  • pho30's avatar
    pho30
    Copper Contributor
    Feb 03, 2018

    Thanks Meir, ill make the recommended changes and check out the other functions.