Forum Discussion
Azure Log analytics
Note: https://docs.microsoft.com/en-us/azure/kusto/query/makeset-aggfunction you should always use make_set or make_list which have replaced makeset and makelist as the older functions have a 128 limit.
Make_set is probably the one to use - as it "Returns a
dynamic(JSON) array of the set of distinct values that Expr takes in the group."The aim here is to get the row (record) count below 10,000, then you know you have all the data, if you have 441 then all should be ok. Also look out for the 500 column limit, but I think you are a long way from that.
If you have less than 10,000 unique computers, then a summarize or pivot should be able to help:
- reduce time the query takes
- reduce complexity
- get all the details about a computer on a single row
UAOfficeAddIn
| where OfficeAddInName != ""
| evaluate pivot(OfficeAddInName, count(ComputerID), Computer)
| sort by Computer asc
or
UAOfficeAddIn
| where OfficeAddInName != ""
| summarize AddIn = make_set(OfficeAddInName), version = make_set(OfficeProductVersion) , count() by Computer
If you have more than 10,000 computers - well done 🙂 You could divide the query by Computer start letter, and get A-G, then H-P etc...
- Clive, I have 15,000 PC's. I tried this because I have 441 or so add-ins. UAOfficeAddIn |where OfficeAddInName != " " |summarize AddIn = makelist(Computer), count(computer) by OfficeAddInName This return AddInName, then all PC's with that add-in 8,900 The aggregate I took a few weeks ago shows ~11,000 Pc's as having Microsoft Exchange add-in. While this query shows 8,900 for the same add-in. I of course do not want to miss any PC's in my query. Do you think I captured everything with this query? Or have I been bitten by the 10,000 record limit just the same? Thanks again for your suggestions. I think I am pretty close.
Note: https://docs.microsoft.com/en-us/azure/kusto/query/makeset-aggfunction you should always use make_set or make_list which have replaced makeset and makelist as the older functions have a 128 limit.
Make_set is probably the one to use - as it "Returns a
dynamic(JSON) array of the set of distinct values that Expr takes in the group."The aim here is to get the row (record) count below 10,000, then you know you have all the data, if you have 441 then all should be ok. Also look out for the 500 column limit, but I think you are a long way from that.
- Clive, I wonder if you can help me with this question. When I do the below query I get strange results? In other words, if I set my timeframe for 24hrs, or 7 days, or custom (15 days) my numbers keep changing. I'm not sure I feel confident with any of these number right now. Am I looking at Log Analytics incorrectly? I want a list of all PC's that have this add-in, which will be in excess of 12,000, so I limit my scope to fewer geographic locations as you suggested the other day and I still get inconsistent numbers based on the Time Range I select? search in (UAOfficeAddIn) OfficeAddInName == "Microsoft VBA for Outlook Addin" | where Computer !contains "US" and Computer !contains "GB" and Computer !contains "SG" |order by Computer