Forum Discussion

abon13's avatar
abon13
Brass Contributor
Nov 15, 2023
Solved

Use of arg_max and arg_min together

Hi, I have a query which ultimately gives out all the info related to an IP address/ system. My current query is making use of arg_max, however I would also like to run arg_min. The final query resu...
KQL
kusto
siem
  • Clive_Watson's avatar
    Clive_Watson
    Nov 16, 2023

    This is one way:

    let min_=Heartbeat
    | where TimeGenerated > ago(30m)
    | where Computer =="JBOX10"
    | summarize arg_min(TimeGenerated,ComputerIP, Computer)
    | extend Title_='min'
    ;
    let max_=Heartbeat
    | where TimeGenerated > ago(30m)
    | where Computer =="JBOX10"
    | summarize arg_max(TimeGenerated,ComputerIP, Computer)
    | extend Title_='max'
    ;
    union min_, max_
    | project TimeGenerated, ComputerIP, Computer, Title_

     

Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Nov 16, 2023

abon13 

 

Your example would work "as is" however I'd advise you to not use "*" and select specific columns to make it more readable (you might what to rename some of the columns). e.g.


Heartbeat
| where TimeGenerated > ago(30m)
| where Computer =="JBOX10"
| summarize min_=arg_min(TimeGenerated,ComputerIP, Computer), max_=arg_max(TimeGenerated,ComputerIP, Computer)

Example using the demo data:

Go to Log Analytics and run query

min_ ComputerIP Computer max_ ComputerIP1 Computer1
2023-11-16T11:12:24.3531826Z20.29.245.93JBOX102023-11-16T11:41:26.9028233Z20.29.245.93JBOX10

 

With renamed columns 
Heartbeat
| where TimeGenerated > ago(30m)
| where Computer =="JBOX10"
| summarize min_=arg_min(TimeGenerated,ComputerIPmin=ComputerIP, Computermin=Computer),
max_=arg_max(TimeGenerated,ComputerIPmax=ComputerIP, Computermax=Computer)

abon13's avatar
abon13
Brass Contributor
Nov 16, 2023
Clive_Watson

Would it be possible to get the outputs of arg_min and arg_max in two separate rows as below ?

TimeGenerated ComputerIP1 Computer1
2023-11-16T11:12:24.3531826Z 20.29.245.93 JBOX10
2023-11-16T11:41:26.9028233Z 20.29.245.93 JBOX10
  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    Nov 16, 2023

    This is one way:

    let min_=Heartbeat
    | where TimeGenerated > ago(30m)
    | where Computer =="JBOX10"
    | summarize arg_min(TimeGenerated,ComputerIP, Computer)
    | extend Title_='min'
    ;
    let max_=Heartbeat
    | where TimeGenerated > ago(30m)
    | where Computer =="JBOX10"
    | summarize arg_max(TimeGenerated,ComputerIP, Computer)
    | extend Title_='max'
    ;
    union min_, max_
    | project TimeGenerated, ComputerIP, Computer, Title_

     

    • abon13's avatar
      abon13
      Brass Contributor
      Nov 17, 2023

      Clive_Watson

      What I have observed when the ComputerIPs are different, it still prints only one row ( based on max/min).
      Can we have different rows for different ComputerIP while using summarize arg_min(TimeGenerated,ComputerIP, Computer)  ?

       



      TimeGenerated ComputerIP1 Computer
      2023-11-16T11:12:24.3531826Z 20.29.245.93 JBOX10
      2023-11-16T11:41:26.9028233Z 1.2.3.4 JBOX15

Resources