/Users/marc.chisinevski/.venvs/azcli/lib/python3.9/site-packages/urllib3/__init__.py:35: NotOpenSSLWarning: urllib3 v2 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with 'LibreSSL 2.8.3'. See: https://github.com/urllib3/urllib3/issues/3020
  warnings.warn(
[sdl_client] session = kql-proof-e6ab5a8c-7c7a-4c90-ab9f-898f88b4ddb0
run_id = run-20b5bcb16f
================================================================================
# show 3 SigninLogs with ts_epoch_ms
  q: proof_run_id='run-20b5bcb16f' event_type='SigninLogs' | columns ts_epoch_ms, UserPrincipalName | limit 3
  status=success matching=3.0
    {'ts_epoch_ms': 1780218888000, 'UserPrincipalName': 'alice@contoso.com'}
    {'ts_epoch_ms': 1780221288000, 'UserPrincipalName': 'alice@contoso.com'}
    {'ts_epoch_ms': 1780223688000, 'UserPrincipalName': 'alice@contoso.com'}
================================================================================
# count where ts_epoch_ms exists (any)
  q: proof_run_id='run-20b5bcb16f' ts_epoch_ms=* | group n=count()
  status=success matching=445.0
    {'n': 445}
================================================================================
# count where ts_epoch_ms > number
  q: proof_run_id='run-20b5bcb16f' | filter ts_epoch_ms > 1000000000000 | group n=count()
  status=success matching=445.0
    {'n': 445}
================================================================================
# count where ts_epoch_ms (as string) > '0'
  q: proof_run_id='run-20b5bcb16f' | filter ts_epoch_ms > '0' | group n=count()
  status=success matching=445.0
    {'n': 445}
================================================================================
# count where ts_epoch_ms >= NOW-2h numeric
  q: proof_run_id='run-20b5bcb16f' | filter ts_epoch_ms >= 1780240661498 | group n=count()
  status=success matching=309.0
    {'n': 309}
================================================================================
# min/max ts_epoch_ms aggregate
  q: proof_run_id='run-20b5bcb16f' | group mn=min(ts_epoch_ms), mx=max(ts_epoch_ms), n=count()
  status=success matching=445.0
    {'mn': 1780218888000.0, 'mx': 1780244028000.0, 'n': 445}
================================================================================
# event_type filter alone
  q: proof_run_id='run-20b5bcb16f' event_type='SigninLogs' | group n=count()
  status=success matching=69.0
    {'n': 69}