Forum Discussion
Log Analytics Query for computer last login/active date and time
We will get there I promise, none of those actually show the Table Name (just the Category and Solution names), its the next level of detail after those we need, this query will show that detail:
union withsource = TableName *
| where isnotempty(Computer)
| summarize dcount(Computer) by TableName
| order by dcount_Computer desc
You should get a report like this (its this we need to see):
| TableName | dcount_Computer |
|---|---|
| InsightsMetrics | 33 |
| Perf | 33 |
| ConfigurationData | 32 |
| Operation | 32 |
| Heartbeat | 32 |
| Update | 31 |
| ProtectionStatus | 30 |
| SecurityBaseline | 24 |
| SecurityBaselineSummary | 24 |
| ConfigurationChange | 21 |
With that I know two things:
1. the real TableName (column 1) and
2. a count of unique computers, which gives me a hint that there is some data to look at.
Thanks for your patience
Never mind!
I added OSVersion to query.
The only thing I am curious about is how to get all the tables or atleast the useful once on my portal.
Thanks! That is helpful I believe. Can we add one more column where it will give the Current windows update version of system like 1903 or 1909. Right now it is giving us the OS build version.
Also, can you help me on how to add all the tables or the important ones that are always helpful?
Ah, that is Good and Bad, none of the Tables in that list that start with a "W" hold any logon / last accessed data (as far as I can see). The only one with promise is the Usage table, but that only holds one computer! I don't think you have collected any data in a table that pertains to login info?
LastScan will tell you that the computer was on at that time, so I added that. I'm not sure what else I can do given the data. Is this right?
WaaSDeploymentStatus | where UpdateCategory == "Quality" and TimeGenerated > ago(60d) | summarize arg_max(ReleaseName, DeploymentStatus, DetailedStatus, DetailedStatusLevel, ExpectedInstallDate, LastScan, UpdateReleasedDate ) by Computer