Querying Alert Data Dynamically


I'm querying Alerts from OMS. I'd like to get the results from the Alerts for every alert so that I can get that data somewhere other than an email. I'm stumped on how to do a sub query based upon the contents of the Query field.


Here's my base query:

| limit 100
| project TimeGenerated, AlertSeverity, AlertName, Query


I'm looking to take the contents of the Query field (ex: Heartbeat | order by TimeGenerated | limit 1). Can someone point me in the right direction?

1 Reply
best response confirmed by Jason Dempsey (Microsoft)

Hi Jason,


I'm not sure I understand what you are looking to do. In general, the query field is a text field that you can handle like any other text field. For example:


| parse Query with QuerySource "|" *
| summarize count() by QuerySource
Hope it help