Jul 19 2019
12:28 PM
- last edited on
Apr 07 2022
06:00 PM
by
TechCommunityAP
Jul 19 2019
12:28 PM
- last edited on
Apr 07 2022
06:00 PM
by
TechCommunityAP
Hi All,
I want to create a pie chart that can populate the count of two types VMs that has either security or critical patch missing.
Like : - I have 20 VM and 15 have Critical patch missing whereas 5 have security patch matching. So it will generate a pie chart with count of VM.
I have scratched my head and tried to write Kusto for the same. But not sure how to count "true" in extended column. Or how to summarize it.
2. The same representation as above for pending security patches
Jul 21 2019 12:34 PM
Update | where TimeGenerated >= ago(1d) | where (Classification == "Security Updates" or Classification == "Critical Updates") | summarize count(Classification) by Computer | sort by count_Classification desc
// render piechart
or
Update | where TimeGenerated >= ago(1d) | where (Classification == "Security Updates" or Classification == "Critical Updates") | extend sec_server = (Classification == "Security Updates") | extend cri_server = (Classification == "Critical Updates") | summarize SecurityUpdate = count(sec_server), CriticalUpdate = count(cri_server) by Computer | sort by CriticalUpdate desc , SecurityUpdate desc
// render barchart
Update | where TimeGenerated >= ago(1d) | where (Classification == "Security Updates" or Classification == "Critical Updates") | summarize ServerThatMatchCriteria=dcount(Computer)
Jul 22 2019 12:57 AM
@CliveWatson Thanks a lot sir,
Now I am bit stuck to represent this through a pie chart. As i want servers that have missing security update >1 also critical update > 1. But when i thought about query found below hurdles:-
If i will go by classification then this field either have Security Updates or Critical Updates. And if i will use below line in query then i will nothing in result since since field cannot hold both at a time.
Jul 22 2019 01:29 AM
In a table, this would work (not Pie chart)
Update | where TimeGenerated >= ago(1d) | where (Classification == "Security Updates" or Classification == "Critical Updates") | where UpdateState == "Needed" | summarize by Classification, Computer | evaluate pivot(Classification)
or , this that allows you to see when > 1 for the two columns?
Update | where TimeGenerated >= ago(1d) | where (Classification == "Security Updates" or Classification == "Critical Updates") | where UpdateState == "Needed" | extend su = iif(Classification=="Security Updates", 1,0) | extend cu = iif(Classification=="Critical Updates", 1,0) | summarize dcount(su), dcount(cu) by Computer | where dcount_cu > 1 and dcount_su > 1
Jul 22 2019 06:07 AM - edited Jul 22 2019 06:07 AM
@CliveWatson Thank you very much for the help.
Sir, Is it possible to count server numbers that has security and Critical patches missing.
Like, I have total 20 servers and 15 has security and 8 has critical patches missing. So i want server count that has both of patches missing.
Jul 22 2019 06:26 AM
Solution
Update | where TimeGenerated >= ago(1d) | where (Classification == "Security Updates" or Classification == "Critical Updates") | where UpdateState == "Needed" | extend su = iif(Classification=="Security Updates", 1,0) | extend cu = iif(Classification=="Critical Updates", 1,0) | summarize dcount(su), dcount(cu) by Computer | where dcount_cu > 1 and dcount_su > 1 | count
Jul 22 2019 06:57 AM
Ahh.... I missed this simple thing.
@CliveWatson Thanks a lot Sir for helping me here 🙂
Jul 22 2019 06:26 AM
Solution
Update | where TimeGenerated >= ago(1d) | where (Classification == "Security Updates" or Classification == "Critical Updates") | where UpdateState == "Needed" | extend su = iif(Classification=="Security Updates", 1,0) | extend cu = iif(Classification=="Critical Updates", 1,0) | summarize dcount(su), dcount(cu) by Computer | where dcount_cu > 1 and dcount_su > 1 | count