Mirrors/marcredhat-kql
1
0
Fork 0
mirror of https://github.com/marcredhat/kql synced 2026-06-08 21:27:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Initial commit: KQL ↔ SDL PowerQuery proof of equivalence

Browse Source
This commit is contained in:
marc
2026-06-01 09:57:14 +02:00
commit 23cbaa9c08
91 changed files with 5966 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
reports/probe_ts_field.log
+41
View File
@@ -0,0 +1,41 @@
/Users/marc.chisinevski/.venvs/azcli/lib/python3.9/site-packages/urllib3/__init__.py:35: NotOpenSSLWarning: urllib3 v2 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with 'LibreSSL 2.8.3'. See: https://github.com/urllib3/urllib3/issues/3020
warnings.warn(
[sdl_client] session = kql-proof-e6ab5a8c-7c7a-4c90-ab9f-898f88b4ddb0
run_id = run-20b5bcb16f
================================================================================
# show 3 SigninLogs with ts_epoch_ms
q: proof_run_id='run-20b5bcb16f' event_type='SigninLogs' | columns ts_epoch_ms, UserPrincipalName | limit 3
status=success matching=3.0
{'ts_epoch_ms': 1780218888000, 'UserPrincipalName': 'alice@contoso.com'}
{'ts_epoch_ms': 1780221288000, 'UserPrincipalName': 'alice@contoso.com'}
{'ts_epoch_ms': 1780223688000, 'UserPrincipalName': 'alice@contoso.com'}
================================================================================
# count where ts_epoch_ms exists (any)
q: proof_run_id='run-20b5bcb16f' ts_epoch_ms=* | group n=count()
status=success matching=445.0
{'n': 445}
================================================================================
# count where ts_epoch_ms > number
q: proof_run_id='run-20b5bcb16f' | filter ts_epoch_ms > 1000000000000 | group n=count()
status=success matching=445.0
{'n': 445}
================================================================================
# count where ts_epoch_ms (as string) > '0'
q: proof_run_id='run-20b5bcb16f' | filter ts_epoch_ms > '0' | group n=count()
status=success matching=445.0
{'n': 445}
================================================================================
# count where ts_epoch_ms >= NOW-2h numeric
q: proof_run_id='run-20b5bcb16f' | filter ts_epoch_ms >= 1780240661498 | group n=count()
status=success matching=309.0
{'n': 309}
================================================================================
# min/max ts_epoch_ms aggregate
q: proof_run_id='run-20b5bcb16f' | group mn=min(ts_epoch_ms), mx=max(ts_epoch_ms), n=count()
status=success matching=445.0
{'mn': 1780218888000.0, 'mx': 1780244028000.0, 'n': 445}
================================================================================
# event_type filter alone
q: proof_run_id='run-20b5bcb16f' event_type='SigninLogs' | group n=count()
status=success matching=69.0
{'n': 69}