Mar 22 2023 05:16 AM
Hi,
Currently using the following kql on various tables to check whether the number of devices has changed between the current week and the previous.
Mar 23 2023 10:54 AM
Mar 23 2023 02:09 PM
Mar 23 2023 11:50 PM
@tipper1510 The other way would be to just show the new Computers not seen before (added)
let previousComputers =
Syslog
| where TimeGenerated between (ago(7d) .. ago(1d))
| distinct Computer;
Syslog
| where TimeGenerated > ago(1d)
| where Computer !in(previousComputers)
Then as a rough example, you can do the counts for old vs. added - there are other ways to do this but I kept it simple ( I hope).
let previousComputersCount = toscalar(
Syslog
| where TimeGenerated between (ago(7d) .. ago(1d))
| summarize dcount(Computer));
let previousComputers =
Syslog
| where TimeGenerated between (ago(7d) .. ago(1d))
| distinct Computer;
Syslog
| where TimeGenerated > ago(1d)
| where Computer !in(previousComputers)
| summarize addedCount_ = dcount(Computer), addedComputers=make_set(Computer), previousComputersCount=any(previousComputersCount)
// now do your percent calc