SOLVED

Querying Alert Data Dynamically

Microsoft

I'm querying Alerts from OMS. I'd like to get the results from the Alerts for every alert so that I can get that data somewhere other than an email. I'm stumped on how to do a sub query based upon the contents of the Query field.

 

Here's my base query:

Alert
| limit 100
| project TimeGenerated, AlertSeverity, AlertName, Query

 

I'm looking to take the contents of the Query field (ex: Heartbeat | order by TimeGenerated | limit 1). Can someone point me in the right direction?

1 Reply
best response confirmed by Jason Dempsey (Microsoft)
Solution

Hi Jason,

 

I'm not sure I understand what you are looking to do. In general, the query field is a text field that you can handle like any other text field. For example:

 

Alert
| parse Query with QuerySource "|" *
| summarize count() by QuerySource
 
Hope it help
Meir