SOLVED
Home

Computer group in OMS query

%3CLINGO-SUB%20id%3D%22lingo-sub-855182%22%20slang%3D%22en-US%22%3EComputer%20group%20in%20OMS%20query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-855182%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20two%20type%20of%20group%20Saved%20and%20active%20directory.%20I%20could%20run%20query%20on%20saved%20group%20as%20below%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22color%3A%20%23000000%3B%22%3EPerf%20%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23000000%3B%22%3E%7C%20%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%230000ff%3B%22%3Ewhere%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23000000%3B%22%3E%20Computer%20in%20(%5B%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23a31515%3B%22%3E'ProdServers'%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23000000%3B%22%3E%5D)%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22color%3A%20%23000000%3B%22%3EHow%20can%20i%20run%20the%20similar%20query%20for%20AD%20group.%20I%20could%20list%20the%20ad%20group%20member%20using%20the%20query%20below%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22color%3A%20%23000000%3B%22%3EComputerGroup%20%7C%20%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%230000ff%3B%22%3Ewhere%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23000000%3B%22%3E%20GroupSource%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23a31515%3B%22%3E%22ActiveDirectory%22%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22color%3A%20%230000ff%3B%22%3Eand%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23000000%3B%22%3E%20Group%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23a31515%3B%22%3E%22SV_Prod%22%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23000000%3B%22%3E%20%7C%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%230000ff%3B%22%3Edistinct%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22color%3A%20%23000000%3B%22%3E%20Computer%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-855182%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-856516%22%20slang%3D%22en-US%22%3ERe%3A%20Computer%20group%20in%20OMS%20query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-856516%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F192811%22%20target%3D%22_blank%22%3E%40Mayank%20Bansal%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20do%20the%20following%3A%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3Elet%20MyGroup%20%3D%20ComputerGroup%20%7C%20where%20GroupSource%20%3D%3D%20%22ActiveDirectory%22%20%20and%20Group%20%3D%3D%20%22SV_Prod%20%20%7Cdistinct%20%20Computer%3B%0APerf%20%7C%20where%20Computer%20in%20(MyGroup)%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3EAdditionally%20you%20can%20save%20the%20results%20from%3A%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EComputerGroup%20%7C%20where%20GroupSource%20%3D%3D%20%22ActiveDirectory%22%20%20and%20Group%20%3D%3D%20%22SV_Prod%20%20%7Cdistinct%20%20Computer%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3Eto%20a%20computer%20group%20let's%20say%20with%20name%20MySavedGroup%20and%20reference%20it%20in%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EPerf%20%7C%20where%20Computer%20in%20(MySavedGroup)%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3Elike%20any%20other%20computer%20group.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-857378%22%20slang%3D%22en-US%22%3ERe%3A%20Computer%20group%20in%20OMS%20query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-857378%22%20slang%3D%22en-US%22%3EThanks%20this%20solved%20my%20problem.%3C%2FLINGO-BODY%3E
Mayank Bansal
Microsoft

I have two type of group Saved and active directory. I could run query on saved group as below

Perf | where Computer in (['ProdServers'])

 

How can i run the similar query for AD group. I could list the ad group member using the query below

ComputerGroup | where GroupSource == "ActiveDirectory" and Group == "SV_Prod" |distinct  Computer

 

2 Replies
Solution

Hi@Mayank Bansal 

You can do the following:

let MyGroup = ComputerGroup | where GroupSource == "ActiveDirectory"  and Group == "SV_Prod  |distinct  Computer;
Perf | where Computer in (MyGroup)

Additionally you can save the results from:

ComputerGroup | where GroupSource == "ActiveDirectory"  and Group == "SV_Prod  |distinct  Computer

to a computer group let's say with name MySavedGroup and reference it in

Perf | where Computer in (MySavedGroup)

like any other computer group.

Thanks this solved my problem.
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
12 Replies