Mike H

My feedback

  1. 107 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    An error occurred while saving the comment
    Mike H commented  · 

    It took an annoyingly long time and a support case to realize that my alert was giving unreliable results because the saved search is using a subquery that tries to search over a longer period of time. While running the saved search in Log Analytics I see exactly the information I'm looking for, but the alert rule is giving bad results because the query and subquery are limited to a short period of time.

    My use case is this - "Each hour, alert when an event was triggered from a source I haven't seen in the last month". The goal is to identify outliers. The query searches for sources seen within the last hour, then excluding sources seen over a longer period of time. Example query:

    Syslog
    | where ProcessName == "postgres" and isnotempty(Postgres_authsuccess_CF) and isnotempty(Postgres_clientip_CF)
    | where Postgres_clientip_CF !in ((Syslog
    | where TimeGenerated >= ago(7d) and TimeGenerated < ago(1h)
    | where ProcessName == "postgres" and isnotempty(Postgres_authsuccess_CF) and isnotempty(Postgres_clientip_CF)
    | distinct Postgres_clientip_CF))
    | summarize count() by Postgres_clientip_CF

    If there's a different Azure-native solution I can use to get what I'm after, please let me know because I'd really like to do this.

    Mike H supported this idea  · 

Feedback and Knowledge Base