cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

KQL query question

CyberKing
Copper Contributor

‎Aug 01 2023 04:48 AM

‎Aug 01 2023 04:48 AM

KQL query question

I have the following test query.

I'm wondering if I added (TimeGenerated 24h) correctly in lines number 5 and 12? Or is it enough to have it only in line 12? Similarly, in lines 6 and 13, do I need to add it twice? Or is it enough to have it only once in line 13?

Thank you

CyberKing_0-1690890430916.png

 

723 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by CyberKing (Copper Contributor)
KubaTom

‎Aug 01 2023 08:52 AM - edited ‎Aug 01 2023 08:53 AM

‎Aug 01 2023 08:52 AM - edited ‎Aug 01 2023 08:53 AM

Solution

Re: KQL query question

@CyberKing 

As I can't see the entire query, it's difficult to be 100% certain, but in union if you need to perform the same operations on different tables you can remove them from individual tables and add below, like so:

 

 

union kind=inner 
(SigninLogs
| distinct UserPrincipalName, TimeGenerated
),
(OfficeActivity
| distinct UserId, TimeGenerated
| extend UserPrincipalName=UserId
)
| where UserPrincipalName contains 'adm'
| where TimeGenerated > ago(24h)

 

 

It certainly helps to keep the query more compact, but I'm not sure how this would affect the overall efficiency - in this case your union starts with 2 bigger tables and only trims them down afterwards.

0 Likes
Reply
CyberKing

‎Aug 03 2023 01:44 AM

‎Aug 03 2023 01:44 AM

Re: KQL query question

thanks!
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by CyberKing (Copper Contributor)
KubaTom

‎Aug 01 2023 08:52 AM - edited ‎Aug 01 2023 08:53 AM

‎Aug 01 2023 08:52 AM - edited ‎Aug 01 2023 08:53 AM

Solution

Re: KQL query question

@CyberKing 

As I can't see the entire query, it's difficult to be 100% certain, but in union if you need to perform the same operations on different tables you can remove them from individual tables and add below, like so:

 

 

union kind=inner 
(SigninLogs
| distinct UserPrincipalName, TimeGenerated
),
(OfficeActivity
| distinct UserId, TimeGenerated
| extend UserPrincipalName=UserId
)
| where UserPrincipalName contains 'adm'
| where TimeGenerated > ago(24h)

 

 

It certainly helps to keep the query more compact, but I'm not sure how this would affect the overall efficiency - in this case your union starts with 2 bigger tables and only trims them down afterwards.

View solution in original post

0 Likes
Reply