Forum Discussion
Solved
Filtering log by date
Hi, I can't seem to find the right syntax for this query:
ProtectionStatus | summarize ThreatStatusRank = max(ThreatStatusRank) by Computer, Time = bin(todatetime(DateCollected), 10m) | summarize(Time, ThreatStatusRank) = argmax(Time, ThreatStatusRank) by Computer | where ThreatStatusRank !in (150, 470) | where TimeGenerated > ago(1d) | project Computer, Rank = ThreatStatusRank
Neither timestamp nor TimeGenerated seem to work.
Any help is appreciated.
Thanks,
Matthew
- Hi, managed to get this working using the following:
ProtectionStatus | where TimeGenerated > ago(1d) | summarize ThreatStatusRank = max(ThreatStatusRank) by Computer, Time = bin(todatetime(DateCollected), 10m) | summarize(Time, ThreatStatusRank) = argmax(Time, ThreatStatusRank) by Computer | where ThreatStatusRank !in (150, 470) | project Computer, Rank = ThreatStatusRank
2 Replies
- Hi, managed to get this working using the following:
ProtectionStatus | where TimeGenerated > ago(1d) | summarize ThreatStatusRank = max(ThreatStatusRank) by Computer, Time = bin(todatetime(DateCollected), 10m) | summarize(Time, ThreatStatusRank) = argmax(Time, ThreatStatusRank) by Computer | where ThreatStatusRank !in (150, 470) | project Computer, Rank = ThreatStatusRank
- Meir_Mendelovich
Microsoft
Yep, the time filter always have to come before summarize and it is recommended to come as the first condition.
Meir
