Forum Discussion
Workbook with multiple visualizations using lowest number of queries
Coming from Splunk world and didn't found answer to this in the workbook documentation. Is it possible to chains searches, like in Splunk, explained here: https://docs.splunk.com/Documentation/S...
Have you tried assigning that base search to a variable and then filtering off that variable. For example,
let base_search =
SomeLog
| where Timestamp >= ago(1d)
| project Timestamp, UserId, DeviceId, successfulLogins
Then you could search against that:
base_search
| where UserId == "someone"
| summarize totalLogins = sum(successfulLogins) by bin(Timegenerated, 1h)
base_search
| where userId == "someone_else"
| summarize otherLogins = sum(successfulLogins) by bin(Timegenerated, 1h)
base_search
| where userId == "thirdUser"
| summarize lastLogins = sum(successfulLogins) by bin(Timegenerated, 1h)
Hope this helps
G.