Forum Discussion
Azure Sentinal - how to fetch large result set of Winsec events by pagination
Hi Community,
We pump the logs of Window security events of some computers into Azure Sentinel SIEM. Now we retrieve those logs from Sentinel to local database by using REST API. The problem is when the result set is large, the API return error message like "Result size too large". So we want to implement pagination and fetch the data from SIEM then store it in local DB.
However, according to MS docs, Kql doesn't support "Skip" operator.
So are there any ideas how to implement this pagination method to fetch the large result set from SIEM?
- Not that I can see. The Log Analytics query REST API doesn't appear to allow for limits and pages.
3 Replies
Peter_custodio Can you limit the amount of data being returned by limiting the time range that you are looking at? Granted it will take multiple calls, but it should work.
GaryBushey
Thanks for your suggestion. We want to fetch the data from Sentinel everyday by using Task scheduler job and insert into local DB then query it.So instead of calling multiple times in a day, is there any other ways to fetch large result set in one call?
- Not that I can see. The Log Analytics query REST API doesn't appear to allow for limits and pages.
