1
votes

I've just started out in KQL and am struggling to find a way to get the most recent status/value for a particular log value. We have a lot of machines and I just want to know the most recent value reported, something like this (pseudo-code). So I end up with a list of distinct computers and their status and when they last reported.

For example:

ProtectionStatus
| project Computer, ProtectionStatus, OSName, TimeGenerated
| where TimeGenerated = MostRecent

Can anyone point me in the right direction please?

1

1 Answers

3
votes

What you're looking for is called arg_max() (see doc).

Use it as follows:

ProtectionStatus
| summarize arg_max(TimeGenerated, ProtectionStatus, OSName) by Computer

This reads like this: return records from the ProtectionStatus table, where for every value of Computer I want to see the values of ProtectionStatus and OSName, where TimeGenerated has max value (for this specific Computer).