05-28-2019 07:35 AM
05-28-2019 09:55 AM
Doing a search is great to find some data but isn't good for a query in the long term. In example one below, we'd use search to find the "AL agent", I used limit to just get just ten random rows with that data (for testing, that should be enough). Then imagine you see that "AL Agent" is in the 'source' column you can then use a where operator to look at that specific value - see example two.
// example one
Event | search "AL Agent" | limit 10
// example two Event | where Source == "AL Agent" | limit 10
You can then do the same to find out where "stop" occurs and then use that (in this pretend scenario lets assume its found in "Message":
Event | where Source == "AL Agent" and Message == "Stop" | limit 10
Tip, if you don't know what table a string is in, you can use this - which will shows what Tables (like: Events) the string appears in and the count. Use this sparingly as its very expensive (time and processing power), ideally over a small time window e.g. less than 24hrs.
search "Agent" | summarize count() by $table