![]() For example, the following query returns only SecurityEvent records where Level equals _8: SecurityEvent To add a filter to a query, use the where operator followed by one or more conditions. Filtering is the most common way to limit query results to relevant information. The where operator: Filter on a conditionįilters, as indicated by their name, filter the data by a specific condition. Use the top operator to sort the entire table on the server side and then only return the top records.įor example, the following query returns the latest 10 records: SecurityEvent The best way to only get the latest records is to use the top operator. The Analytics portal then limits the display to only 30,000 records. The query sorts the entire SecurityEvent table by the TimeGenerated column. Also, it might also take some time to return the results. The preceding query could return too many results. ![]() However, sort doesn't limit the number of records that are returned by the query.įor example, the following query returns all available records for the SecurityEvent table, which is up to a maximum of 30,000 records, and sorts them by the TimeGenerated column. sort sorts the query results by the column you specify. Descending is the default sorting order for sort and top, so you can usually omit the desc argument.įor example, the data returned by both of the following queries is sorted by the TimeGenerated column, in descending order: Use the desc argument to sort records in descending order. To get an ordered view, use sort and top. Although take is useful for getting a few records, you can't select or sort the results in any particular order. This section describes the sort and top operators and their desc and asc arguments. Search queries are ordinarily slower than table-based queries because they have to process more data. The process would then take longer and be less efficient. If you omit the in (SecurityEvent) part and run only search "Cryptographic", the search goes over all tables. This query searches the SecurityEvent table for records that contain the phrase "Cryptographic." Of those records, 10 records are returned and displayed. They're better suited for finding records that include a specific value in any of their columns: search in (SecurityEvent) "Cryptographic" If you need to return results in a particular order, use the sort and top operators. The selected results are arbitrary and displayed in no particular order. Use the take operator to view a small sample of records by returning up to the specified number of records. The command would still be valid, but it could return up to 30,000 results. We could run the query even without adding | take 10. You can add any number of piped elements. ![]() The pipe (|) character separates commands, so the output of the first command is the input of the next. The query starts with the table name SecurityEvent, which defines the scope of the query. This common way to get a glance at a table helps you to understand its structure and content. The preceding query returns 10 results from the SecurityEvent table, in no specific order. Identify a table that you're interested in, and then take a look at a bit of data: SecurityEvent All tables and columns are shown on the schema pane in Log Analytics in the Analytics portal. Table-based queriesĪzure Monitor organizes log data in tables, each composed of multiple columns. When you use names of tables or columns in a query, be sure to use the correct case, as shown on the schema pane. Language keywords are usually written in lowercase. KQL, which is used by Azure Monitor, is case sensitive.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |