Nov 14 2017
02:53 PM
- last edited on
Apr 07 2022
04:47 PM
by
TechCommunityAP
Nov 14 2017
02:53 PM
- last edited on
Apr 07 2022
04:47 PM
by
TechCommunityAP
I'm querying Alerts from OMS. I'd like to get the results from the Alerts for every alert so that I can get that data somewhere other than an email. I'm stumped on how to do a sub query based upon the contents of the Query field.
Here's my base query:
Alert
| limit 100
| project TimeGenerated, AlertSeverity, AlertName, Query
I'm looking to take the contents of the Query field (ex: Heartbeat | order by TimeGenerated | limit 1). Can someone point me in the right direction?
Nov 16 2017 03:23 AM
SolutionHi Jason,
I'm not sure I understand what you are looking to do. In general, the query field is a text field that you can handle like any other text field. For example:
Nov 16 2017 03:23 AM
SolutionHi Jason,
I'm not sure I understand what you are looking to do. In general, the query field is a text field that you can handle like any other text field. For example: