New Blog Post | Must Learn KQL Part 10: The Count Operator



If you remember in the last part of this series (Part 9 on limit and take operators) I noted that in the query tool the query results are limited to 30,000 rows. Depending on how far back the data the is being stored, i.e., your Log Analytics workspace retention settings, there might possibly be hundreds of thousands of rows of data in the tables. Now, going back to what I said before (also in Part 9), if you need more than 1,000 rows of data to determine if something exists or is impactful to the environment, you might want to change your strategy. In my opinion, just knowing that a potential security situation exists is important enough to circle the wagons.


But a count of something is a good measure to get a better understanding of overall impact of a situation.

