cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

KQL - Devices NOT in Computer Groups

Speed1
Copper Contributor

‎Apr 13 2022 06:20 AM

‎Apr 13 2022 06:20 AM

KQL - Devices NOT in Computer Groups

Hi,

I'm trying to make an KQL Query for all computers that are NOT in 3 certain groups. I tried this but without success. There are always all computers because they are at least in the "Domain Computers" Group.

 

ComputerGroup
    | where (GroupSource == "ActiveDirectory")
    | where not(Group startswith "Groupname")
    | distinct Computer

Maybe somebody has a hint for me?

 

Best

Alex

 

2,806 Views
0 Likes
4 Replies
Reply
4 Replies
Clive_Watson

‎May 04 2022 07:29 AM

‎May 04 2022 07:29 AM

Re: KQL - Devices NOT in Computer Groups

I dont have this data, but did you try something like:

ComputerGroup
| where GroupSource !in ('ActiveDirectory','Grp2','Grp3')
| distinct Computer
0 Likes
Reply
Speed1

‎May 06 2022 02:58 AM

‎May 06 2022 02:58 AM

Re: KQL - Devices NOT in Computer Groups

Hi Clive,

thanks for your response. I already tried this but it doesn't work :(
When I filter per "ActiveDirectory" I don't get any result and when I filter per Group it returns always all computers.

Best
Alex
0 Likes
Reply
best response confirmed by Speed1 (Copper Contributor)
Clive_Watson

‎May 09 2022 02:00 AM

‎May 09 2022 02:00 AM

Solution

Re: KQL - Devices NOT in Computer Groups

@Speed1 

 

Maybe this is better?  I build a list of Computers in the 3 groups, then check which computers are not in that list

let allComputersinGroups = ComputerGroup
| where Group in ('Domain Controllers','Exchange Servers','fakeGroupName')
| summarize count() by Computer, Group;
ComputerGroup
| where  Computer !in (allComputersinGroups)
| summarize dcount(Computer),make_set(Computer)

  

0 Likes
Reply
Speed1

‎May 09 2022 04:31 AM

‎May 09 2022 04:31 AM

Re: KQL - Devices NOT in Computer Groups

This worked, thank you!
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Speed1 (Copper Contributor)
Clive_Watson

‎May 09 2022 02:00 AM

‎May 09 2022 02:00 AM

Solution

Re: KQL - Devices NOT in Computer Groups

@Speed1 

 

Maybe this is better?  I build a list of Computers in the 3 groups, then check which computers are not in that list

let allComputersinGroups = ComputerGroup
| where Group in ('Domain Controllers','Exchange Servers','fakeGroupName')
| summarize count() by Computer, Group;
ComputerGroup
| where  Computer !in (allComputersinGroups)
| summarize dcount(Computer),make_set(Computer)

  

View solution in original post

0 Likes
Reply