SOLVED

custom field

%3CLINGO-SUB%20id%3D%22lingo-sub-1322075%22%20slang%3D%22en-US%22%3Ecustom%20field%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1322075%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20custom%20filed%20and%20I%20want%20to%20alert%20me%20when%20the%20value%20passing%20the%20threshold.%20I%20have%20extracted%20the%20value%20however%20if%20anything%20above%20that%20value%20didn't%20get%20any%20result.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Eexample%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3ECustom%20Logs%20%3D%26gt%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3Emytestlogs_CL%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%3CSPAN%3Eextract%20filed%26nbsp%3B%20%3D%26gt%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22extract_cf%22%3C%2FSPAN%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Eexample%20field%20result%26nbsp%3B%20%3D%26gt%3B%26nbsp%3B%20%26nbsp%3B%223456%22%26nbsp%3B%20or%20%227856%22%20or%20%223451%22%20so%20on.%20the%20KQL%20search%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CEM%3E%3CSTRONG%3E%3CSPAN%3E%22mytestlogs_CL%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FEM%3E%3CEM%3E%3CSTRONG%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FEM%3E%3CSPAN%3E%3CEM%3E%3CSTRONG%3Ewhere%20%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FSPAN%3E%3CEM%3E%3CSTRONG%3E%3CSPAN%3Eextract_CF%20%26gt%3B%20%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FEM%3E%3CSPAN%3E%3CEM%3E%3CSTRONG%3E1%22%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CP%3E%3CSPAN%3Ethe%20result%20is%20returned%20even%20tough%20for%20there%20are%3F%20%3C%2FSPAN%3E%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1322075%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ELog%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1322313%22%20slang%3D%22en-US%22%3ERe%3A%20custom%20field%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1322313%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F368431%22%20target%3D%22_blank%22%3E%40raindrop18%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAre%20the%20values%20strings%20-%20you%20have%20shown%20them%20with%20%22%26nbsp%3B%20%22%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fms.portal.azure.com%23%4072f988bf-86f1-41af-91ab-2d7cd011db47%2Fblade%2FMicrosoft_Azure_Monitoring_Logs%2FDemoLogsBlade%2FresourceId%2F%252FDemo%2Fsource%2FLogsBlade.AnalyticsShareLinkToQuery%2Fq%2FH4sIAAAAAAAAA3MtS80r4eWqUSjPSC1KVXAFcT1dFOwUTA0MDEDixaW5uYlFmVWpCsn5pXklGpoKSZUwZVwAYT3tKz4AAAA%25253D%2Ftimespan%2FP1D%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EGo%20to%20Log%20Analytics%20and%20run%20query%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CDIV%3E%0A%3CTABLE%20cellspacing%3D%221%22%20cellpadding%3D%225%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTH%3EEventID%3C%2FTH%3E%0A%3CTH%3Ecount_%3C%2FTH%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E9992%3C%2FTD%3E%0A%3CTD%3E24%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E9991%3C%2FTD%3E%0A%3CTD%3E24%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E9993%3C%2FTD%3E%0A%3CTD%3E24%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E9994%3C%2FTD%3E%0A%3CTD%3E24%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20maybe%20need%20to%20try%2C%20using%20toint()%20e.g.%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fms.portal.azure.com%23%4072f988bf-86f1-41af-91ab-2d7cd011db47%2Fblade%2FMicrosoft_Azure_Monitoring_Logs%2FDemoLogsBlade%2FresourceId%2F%252FDemo%2Fsource%2FLogsBlade.AnalyticsShareLinkToQuery%2Fq%2FH4sIAAAAAAAAA8tJLVEoUbBVSEksAcKknFQFjcTgkqLMvHSrYjClo5DoV5qblFpklZlXosnLFa1kaGRsoqRjqMPLpaBkamZuoaRjFGsN5JQAcY1CeUZqUapCST5QNcwkTQU7BUOwZEFRflZqcokCVAIAULvs8n0AAAA%25253D%2Ftimespan%2FP1D%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EGo%20to%20Log%20Analytics%20and%20run%20query%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3Elet%20t%20%3D%20datatable%20(aString%3Astring%2C%20aNumber%3Aint)%0A%5B%221234%22%2C1%2C%0A%20%225678%22%2C2%5D%3B%0A%20t%0A%20%7C%20where%20toint(aString)%20%26gt%3B%201%0A%20%7C%20project%20aString%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Deleted
Not applicable

I have custom filed and I want to alert me when the value passing the threshold. I have extracted the value however if anything above that value didn't get any result. 

example: Custom Logs =>  mytestlogs_CL

               extract filed  =>  "extract_cf"  

example field result  =>   "3456"  or "7856" or "3451" so on. the KQL search 

"mytestlogs_CL| where extract_CF > 1"

the result is returned even tough for there are?

1 Reply
best response
Solution

@Deleted 

 

Are the values strings - you have shown them with "  "?

 

Go to Log Analytics and run query

EventID count_
9992 24
9991 24
9993 24
9994 24

 

You maybe need to try, using toint() e.g.  Go to Log Analytics and run query

 

let t = datatable (aString:string, aNumber:int)
["1234",1,
 "5678",2];
 t
 | where toint(aString) > 1
 | project aString