Filtering log by date

Matthew Maguire · ‎Jan 18 2018

Hi, I can't seem to find the right syntax for this query:

ProtectionStatus
| summarize ThreatStatusRank = max(ThreatStatusRank) by Computer, Time = bin(todatetime(DateCollected), 10m)
| summarize(Time, ThreatStatusRank) = argmax(Time, ThreatStatusRank) by Computer
| where ThreatStatusRank !in (150, 470)
| where TimeGenerated  > ago(1d)
| project Computer, Rank = ThreatStatusRank

Neither timestamp nor TimeGenerated seem to work.

Any help is appreciated.

Thanks,

Matthew

Matthew Maguire · ‎Jan 18 2018

Hi, managed to get this working using the following:

ProtectionStatus
| where TimeGenerated > ago(1d)
| summarize ThreatStatusRank = max(ThreatStatusRank) by Computer, Time = bin(todatetime(DateCollected), 10m)
| summarize(Time, ThreatStatusRank) = argmax(Time, ThreatStatusRank) by Computer
| where ThreatStatusRank !in (150, 470)
| project Computer, Rank = ThreatStatusRank

Meir Mendelovich · ‎Jan 19 2018

Yep, the time filter always have to come before summarize and it is recommended to come as the first condition.

Meir

Matthew Maguire · ‎Jan 18 2018

Hi, managed to get this working using the following:

ProtectionStatus
| where TimeGenerated > ago(1d)
| summarize ThreatStatusRank = max(ThreatStatusRank) by Computer, Time = bin(todatetime(DateCollected), 10m)
| summarize(Time, ThreatStatusRank) = argmax(Time, ThreatStatusRank) by Computer
| where ThreatStatusRank !in (150, 470)
| project Computer, Rank = ThreatStatusRank

View solution in original post

Filtering log by date

Filtering log by date

Re: Filtering log by date

Re: Filtering log by date

Re: Filtering log by date

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Filtering log by date