so I am analyzing the Events of my Users and separate them by name. That works really well, but the problem accusing to me is that some of the event namen are quite the same action. For example if azure tracks an "Added Scan:" it always includes the filename "Added Scan: T-885_J...." and separates it in a different row. So what I am trying to figure out is, how can I "merge" more than one same action like"Added Scans" to one row and keep the rest separated.
I tried it with e. g. "name startswith("Added")", but with this I only can merge one row.
I would be really grateful if somebody has an idea!
let added =
| where timestamp > ago(1d);
| summarize adoc=count(), adli = makelist(name), b = makeset(user_Id) by name
| extend sumname = substring(adli, 2, 10)
| project sumname, adoc, adli, b