SOLVED

Azure Logs - Group query result by last event by computer

%3CLINGO-SUB%20id%3D%22lingo-sub-1230740%22%20slang%3D%22en-US%22%3EAzure%20Logs%20-%20Group%20query%20result%20by%20last%20event%20by%20computer%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1230740%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20try%20to%20build%20a%20query%20that%20find%20the%20last%20state%20of%20a%20Windows%20service%2C%20for%20example%20'WMI%20Performance%20Adapter'%20(See%20attached%20image).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20like%20to%20get%20only%20the%20last%20event%2Fservice%20state%20for%20each%20computer%20but%20i%20cannot%20find%20the%20proper%20operators.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20help%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1230740%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1230913%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Logs%20-%20Group%20query%20result%20by%20last%20event%20by%20computer%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1230913%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F583176%22%20target%3D%22_blank%22%3E%40Anthony11%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20would%20be%20an%20example%20using%20arg_max%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3EEvent%0A%7C%20where%20EventID%20%3D%3D%207036%0A%7C%20summarize%20count()%2C%20last_record%20%3D%20arg_max(TimeGenerated%2C%20*)%20by%20Computer%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1230928%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Logs%20-%20Group%20query%20result%20by%20last%20event%20by%20computer%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1230928%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%2C%20it%20works%20like%20a%20charm%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello,

 

I try to build a query that find the last state of a Windows service, for example 'WMI Performance Adapter' (See attached image).

 

I would like to get only the last event/service state for each computer but i cannot find the proper operators.

 

Thanks for help :)

 

 

2 Replies
best response confirmed by Clive Watson (Microsoft)
Solution

@Anthony11 

 

This would be an example using arg_max

Event
| where EventID == 7036
| summarize count(), last_record = arg_max(TimeGenerated, *) by Computer

 

@Clive Watson 

Many thanks, it works like a charm :)