I'm querying Alerts from OMS. I'd like to get the results from the Alerts for every alert so that I can get that data somewhere other than an email. I'm stumped on how to do a sub query based upon the contents of the Query field.
Here's my base query:
Alert| limit 100| project TimeGenerated, AlertSeverity, AlertName, Query
I'm looking to take the contents of the Query field (ex: Heartbeat | order by TimeGenerated | limit 1). Can someone point me in the right direction?
View best response
I'm not sure I understand what you are looking to do. In general, the query field is a text field that you can handle like any other text field. For example: