Mirrors/marcredhat-kql
1
0
Fork 0
mirror of https://github.com/marcredhat/kql synced 2026-06-08 13:23:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
23cbaa9c08e081cbfa54c7ec8959f1d4fc78d7b4
marcredhat-kql/reports/probe_ts_field.log
T

42 lines
2.3 KiB
Plaintext
Raw Blame History

/Users/marc.chisinevski/.venvs/azcli/lib/python3.9/site-packages/urllib3/__init__.py:35: NotOpenSSLWarning: urllib3 v2 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with 'LibreSSL 2.8.3'. See: https://github.com/urllib3/urllib3/issues/3020
warnings.warn(
[sdl_client] session = kql-proof-e6ab5a8c-7c7a-4c90-ab9f-898f88b4ddb0
run_id = run-20b5bcb16f
================================================================================
# show 3 SigninLogs with ts_epoch_ms
q: proof_run_id='run-20b5bcb16f' event_type='SigninLogs' | columns ts_epoch_ms, UserPrincipalName | limit 3
status=success matching=3.0
{'ts_epoch_ms': 1780218888000, 'UserPrincipalName': 'alice@contoso.com'}
{'ts_epoch_ms': 1780221288000, 'UserPrincipalName': 'alice@contoso.com'}
{'ts_epoch_ms': 1780223688000, 'UserPrincipalName': 'alice@contoso.com'}
================================================================================
# count where ts_epoch_ms exists (any)
q: proof_run_id='run-20b5bcb16f' ts_epoch_ms=* | group n=count()
status=success matching=445.0
{'n': 445}
================================================================================
# count where ts_epoch_ms > number
q: proof_run_id='run-20b5bcb16f' | filter ts_epoch_ms > 1000000000000 | group n=count()
status=success matching=445.0
{'n': 445}
================================================================================
# count where ts_epoch_ms (as string) > '0'
q: proof_run_id='run-20b5bcb16f' | filter ts_epoch_ms > '0' | group n=count()
status=success matching=445.0
{'n': 445}
================================================================================
# count where ts_epoch_ms >= NOW-2h numeric
q: proof_run_id='run-20b5bcb16f' | filter ts_epoch_ms >= 1780240661498 | group n=count()
status=success matching=309.0
{'n': 309}
================================================================================
# min/max ts_epoch_ms aggregate
q: proof_run_id='run-20b5bcb16f' | group mn=min(ts_epoch_ms), mx=max(ts_epoch_ms), n=count()
status=success matching=445.0
{'mn': 1780218888000.0, 'mx': 1780244028000.0, 'n': 445}
================================================================================
# event_type filter alone
q: proof_run_id='run-20b5bcb16f' event_type='SigninLogs' | group n=count()
status=success matching=69.0
{'n': 69}
Reference in New Issue View Git Blame Copy Permalink