SOLVED
Home

Querying Alert Data Dynamically

%3CLINGO-SUB%20id%3D%22lingo-sub-127861%22%20slang%3D%22en-US%22%3EQuerying%20Alert%20Data%20Dynamically%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-127861%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20querying%20Alerts%20from%20OMS.%20I'd%20like%20to%20get%20the%20results%20from%20the%20Alerts%20for%20every%20alert%20so%20that%20I%20can%20get%20that%20data%20somewhere%20other%20than%20an%20email.%20I'm%20stumped%20on%20how%20to%20do%20a%20sub%20query%20based%20upon%20the%20contents%20of%20the%20Query%20field.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere's%20my%20base%20query%3A%3C%2FP%3E%0A%3CP%3EAlert%3CBR%20%2F%3E%7C%20limit%20100%3CBR%20%2F%3E%7C%20project%20TimeGenerated%2C%20AlertSeverity%2C%20AlertName%2C%20Query%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI'm%20looking%20to%20take%20the%20contents%20of%20the%20Query%20field%20(ex%3A%20Heartbeat%20%7C%20order%20by%20TimeGenerated%20%7C%20limit%201).%20Can%20someone%20point%20me%20in%20the%20right%20direction%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-127861%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128448%22%20slang%3D%22en-US%22%3ERe%3A%20Querying%20Alert%20Data%20Dynamically%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128448%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Jason%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI'm%20not%20sure%20I%20understand%20what%20you%20are%20looking%20to%20do.%20In%20general%2C%20the%20query%20field%20is%20a%20text%20field%20that%20you%20can%20handle%20like%20any%20other%20text%20field.%20For%20example%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3EAlert%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Eparse%3C%2FSPAN%3E%3CSPAN%3EQuery%20with%20QuerySource%20%3C%2FSPAN%3E%3CSPAN%3E%22%7C%22%3C%2FSPAN%3E%3CSPAN%3E*%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Esummarize%3C%2FSPAN%3E%3CSPAN%3Ecount%3C%2FSPAN%3E%3CSPAN%3E()%20%3C%2FSPAN%3E%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3EQuerySource%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EHope%20it%20help%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EMeir%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Jason Dempsey
Microsoft

I'm querying Alerts from OMS. I'd like to get the results from the Alerts for every alert so that I can get that data somewhere other than an email. I'm stumped on how to do a sub query based upon the contents of the Query field.

 

Here's my base query:

Alert
| limit 100
| project TimeGenerated, AlertSeverity, AlertName, Query

 

I'm looking to take the contents of the Query field (ex: Heartbeat | order by TimeGenerated | limit 1). Can someone point me in the right direction?

1 Reply
Solution

Hi Jason,

 

I'm not sure I understand what you are looking to do. In general, the query field is a text field that you can handle like any other text field. For example:

 

Alert
| parse Query with QuerySource "|" *
| summarize count() by QuerySource
 
Hope it help
Meir
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies