cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Expanding Alert Log Search Query

tkeller
Occasional Contributor

‎Dec 03 2019 01:12 PM - last edited on ‎Apr 08 2022 10:13 AM by

‎Dec 03 2019 01:12 PM - last edited on ‎Apr 08 2022 10:13 AM by

Expanding Alert Log Search Query

Hello -

We have an alert setup that does the following:

W3CIISLog
| where Computer == "W9" or Computer == "W10"
| summarize Hits=count() by cIP
| where Hits >= 600
| where cIP !startswith "10.0"
| order by Hits desc

And what I would like is for those results to then be piped into this query and the results returned:

W3CIISLog
| where cIP == "192.34.85.134"
| summarize count () by csUriStem
| order by count_ desc

Any help is greatly appreciated.

1,199 Views
0 Likes
7 Replies
Reply
7 Replies
hspinto

‎Dec 03 2019 04:05 PM

‎Dec 03 2019 04:05 PM

Re: Expanding Alert Log Search Query

@tkeller, something like this?

 

W3CIISLog
| where Computer == "W9" or Computer == "W10"
| summarize Hits=count() by cIP
| where Hits >= 600
| where cIP !startswith "10.0"

| join kind=inner (W3CIISLog | summarize UriHits = count() by cIP, csUriStem) on cIP

| project cIP, Hits, csUriStem, UriHits
| order by Hits desc, UriHits desc
 
0 Likes
Reply
tkeller

‎Dec 03 2019 10:49 PM

‎Dec 03 2019 10:49 PM

Re: Expanding Alert Log Search Query

@hspintowill check this out tomorrow, thanks for the reply (y)

0 Likes
Reply
tkeller

‎Dec 04 2019 11:56 AM

‎Dec 04 2019 11:56 AM

Re: Expanding Alert Log Search Query

@hspintothat does indeed return part of the desired results, but it truncates them... I assume because of "Summarize"?  Is there a better results collector, and is there a way to better format the results?

Thank you very much

0 Likes
Reply
hspinto

‎Dec 04 2019 01:36 PM

‎Dec 04 2019 01:36 PM

Re: Expanding Alert Log Search Query

@tkeller, what do you mean by truncating? Do you wanted to see more columns or more rows? Summarize indeed reduces the column span to what is specified in the aggregation - if you want more columns, you have to add them to the aggregation. Regarding row count, Log Analytics has a limit on the number of rows returned by a query (10,000).

 

Can you elaborate more on the results format?

 

Thank you!

0 Likes
Reply
tkeller

‎Dec 05 2019 01:50 PM

‎Dec 05 2019 01:50 PM

Re: Expanding Alert Log Search Query

@hspintoIt is working very well it's just the Alert email is truncated, but clicking on the link to the results gives all the details.  Ok Last Question...

 

How to set a low threshold i.e. I don't care about hits or URLS less than 50 ?

 

You are extremely helpful @hspinto , thank you very much!

0 Likes
Reply
best response confirmed by tkeller (Occasional Contributor)
hspinto

‎Dec 05 2019 02:46 PM

‎Dec 05 2019 02:46 PM

Solution

Re: Expanding Alert Log Search Query

Glad I am helping, @tkeller.

 

Regarding the low threshold, I am not sure I understood what you meant, but:

 

[I am also structuring the query better]

 

1) If you want to exclude hits/URLs counts less than 50

 

W3CIISLog
| where (Computer == "W9" or Computer == "W10") and cIP !startswith "10.0"
| summarize Hits=count() by cIP
| where Hits >= 600

join kind=inner (W3CIISLog | summarize UriHits = count() by cIP, csUriStem) on cIP

project cIP, Hits, csUriStem, UriHits
| where Hits > 50 and UriHits > 50
order by Hits desc, UriHits desc
 

2) If you want just the topmost 50 cIP:

 

W3CIISLog
| where (Computer == "W9" or Computer == "W10") and cIP !startswith "10.0"
| summarize Hits=count() by cIP
| where Hits >= 600

| order by Hits desc

| limit 50
join kind=inner (W3CIISLog | summarize UriHits = count() by cIP, csUriStem) on cIP

project cIP, Hits, csUriStem, UriHits
order by Hits desc, UriHits desc
// I don't think we can limit here further for UriHits results
 

 

1 Like
Reply
tkeller

‎Dec 05 2019 03:20 PM

‎Dec 05 2019 03:20 PM

Re: Expanding Alert Log Search Query

@hspintoyou da man! 

0 Likes
Reply