Tag[kql] Recent Newest Questions

Can someone assist me with my KQL query to create an alert for login failures in Azure Sentinel?

QueryI am trying to build a alert for multiple login failures followed by success for a user on one host . I got a query which is producing incorrect ...

Sentinel KQL query to extract JSON from syslog data (source is CSW / Tetration)

Below is an example syslog message coming into Sentinel from Cisco Secure Workload (formerly Tetration): Need assistance in parsing this as there i ...

KQL query in Sentinel to pull first and last activity in a day for user

I need help to pull out data for first and last activity for a specific user. For example to see if the first activity was Microsoft teams and when. A ...

KQL Azure Alert only fire if other event has not been logged

I have a basic azure alert where it looks at the windows logs of a VM, and determines whether it should fire an alert upon detecting a specific event ...

How to pull a single value from json in Azure Logic Apps:?

I have the following. I'm trying to pull a single value out but no matter how I try and pull it, I get nothing. ...

using KQL to Identify the absence of a value within a JSON message

I am storing JSON messages within an ADX table. The datatype of the JSON column is a string. Within the JSON message is an array that looks like this ...

Syntax error: SYN0001 despite it working on the Kusto query editor online

I'm building queries in Python and executing them on my Kusto clusters using Kusto client's execute_query method. I've been hit by the following erro ...

Unable to get query to achieve specific result

I am working with azure logs and want to get better data for my monitoring. Since I never really worked with sql, kql and other I'm fairly new to it. ...

KQL - Remove Characters from String

just starting out with KQL, I currently have a string which is set to: "server1-Incremantal") I am looking to remove the front '"' and trailing '")' . ...

How to add hyperlink in KQL query result in Azure Application insight

In image there is a tile named "Product total request" having two column. I want to add hyperlink on column number 2 which is "Total" and on the click ...

Kusto Query Language - Round datetime to nearest month using bin

I have plenty of logs with its own timestamp, and I am trying to count the logs on a monthly basis. Here is a sample table and query using bin(30d): ...

How does Kusto series_outliers() calculate anomaly scores?

Can someone please explain how the series_outliers() Kusto function calculates the anomaly scores? I understand that it uses Tukey fences with a min p ...

Kusto Query: filter values of nested JSON Array

I want to transform the content of the table by filtering the "values" array so it contains only values which are lesser than the lower bound or gre ...

Azure Data Explorer ingest text Log Files with custom delimiter

I'm trying to use Azure Data Explorer to ingest some logs (IIS Logs, POP3 logs, IMAP logs) that contain values delimited by space. I would have expec ...

How to force an ADX to update from source with all historical data

Does anyone know a way to force a child table to update from the source table? it would be a one off command to run when the child table is created, t ...

Kusto Query: Join tables with different datatypes

How would you join two tables based on two columns with same names, but different datatypes? In this example, phone_number is string in table_1 and in ...

Reading data from a custom log in azure log analytics

I have linked the following log itno azure log anlytic environment via customer log I want to now the value of X (which is the client) and then the ...

KQL | How do I extract or check for data in a long string with many quotation marks?

I'm super newbie to KQL and data in general. I'm working with a data column with long strings like this: "data": {"stageID":1670839857060,"entities" ...

Kusto - Adding a column to an existing materialized view

I would like to add a column to an existing Materialized View in Kusto. In this example I am using the table test2 Now I am trying to add a column ...

KQL: Exclude partial string from results using Sentinel Watchlists

Using a watchlist to store domains to be excluded from this query. However unable to filter out the domains on the watchlist from the results. Dealing ...