Sep 14 2021 02:22 AM - edited Sep 14 2021 02:22 AM
Hi Community,
We pump the logs of Window security events of some computers into Azure Sentinel SIEM. Now we retrieve those logs from Sentinel to local database by using REST API. The problem is when the result set is large, the API return error message like "Result size too large". So we want to implement pagination and fetch the data from SIEM then store it in local DB.
However, according to MS docs, Kql doesn't support "Skip" operator.
So are there any ideas how to implement this pagination method to fetch the large result set from SIEM?
Sep 14 2021 04:40 AM
@Peter_custodio Can you limit the amount of data being returned by limiting the time range that you are looking at? Granted it will take multiple calls, but it should work.
Sep 16 2021 06:31 PM
@Gary Bushey
Thanks for your suggestion. We want to fetch the data from Sentinel everyday by using Task scheduler job and insert into local DB then query it.
So instead of calling multiple times in a day, is there any other ways to fetch large result set in one call?
Sep 17 2021 03:58 AM
Solution