Successfully added
Software Development
by Patrik
Kusto Query Language
The Kusto Query Language (KQL) is a plain-text, read-only language used to query big datasets. Some products which use KQL are Azure Data Explorer, Microsoft Defender ATP, Log Analytics, and Azure Sentinel.
...see more
Create List
let set1 = toscalar (AzureNetworkAnalytics_CL | take 1 | project FlowCount_d); print set1
Compare two lists
let history = dynamic (['20.150.9.36','20.50.65.82']); let current = dynamic (['20.150.9.36','20.50.65.82', '10.0.0.10']); print set_difference(current, history)
...see more
let startdate = ago(1h);
let current = toscalar(AzureNetworkAnalytics_CL
| where FlowStartTime_t > startdate
| where SubType_s == "FlowLog" and FlowDirection_s == "O"
| extend DestinationIP = extract("(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.(([0-9]{1,3})))", 1, DestPublicIPs_s)
| distinct DestinationIP
| summarize make_list(DestinationIP));
let history = toscalar (AzureNetworkAnalytics_CL
| where FlowStartTime_t <= startdate and FlowStartTime_t > ago(2d)
| where SubType_s == "FlowLog" and FlowDirection_s == "O"
| extend DestinationIP = extract("(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.(([0-9]{1,3})))", 1, DestPublicIPs_s)
| distinct DestinationIP
| summarize make_list(DestinationIP));
print set_difference(current, history)
...see more
Countwill return the number of rows in the queryWhereallows filtering the rows that are returned based on a conditionTakewill return a specified number of rows, but no guarantee which rows are returnedSortwill allow sorting the output into an orderTopwill return the first N records sorted by the specified columnExtendcommand allows creating new columns from existing columns or other data such as hard-coded valuesSummarizewill return the total values for a specific grouping of rows
Referenced in:
Comments