cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Filtering log by date

Matthew Maguire
New Contributor

‎Jan 18 2018 03:46 AM - last edited on ‎Apr 07 2022 04:51 PM by

‎Jan 18 2018 03:46 AM - last edited on ‎Apr 07 2022 04:51 PM by

Filtering log by date

Hi, I can't seem to find the right syntax for this query:

 
ProtectionStatus
| summarize ThreatStatusRank = max(ThreatStatusRank) by Computer, Time = bin(todatetime(DateCollected), 10m)
| summarize(Time, ThreatStatusRank) = argmax(Time, ThreatStatusRank) by Computer
| where ThreatStatusRank !in (150, 470)
| where TimeGenerated  > ago(1d)
| project Computer, Rank = ThreatStatusRank
Neither timestamp nor TimeGenerated seem to work.
Any help is appreciated.
 
Thanks,
Matthew
3,034 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by Matthew Maguire (New Contributor)
Matthew Maguire

‎Jan 18 2018 04:29 AM

‎Jan 18 2018 04:29 AM

Solution

Re: Filtering log by date

Hi, managed to get this working using the following:
 
ProtectionStatus
| where TimeGenerated > ago(1d)
| summarize ThreatStatusRank = max(ThreatStatusRank) by Computer, Time = bin(todatetime(DateCollected), 10m)
| summarize(Time, ThreatStatusRank) = argmax(Time, ThreatStatusRank) by Computer
| where ThreatStatusRank !in (150, 470)
| project Computer, Rank = ThreatStatusRank
 
0 Likes
Reply
Meir Mendelovich

‎Jan 19 2018 12:26 PM

‎Jan 19 2018 12:26 PM

Re: Filtering log by date

Yep, the time filter always have to come before summarize and it is recommended to come as the first condition.

Meir
0 Likes
Reply