Search queries are ordinarily slower than table-based queries because they have to process more data. The process would then take longer and be less efficient. If you omit the in (SecurityEvent) part and run only search "Cryptographic", the search goes over all tables. This query searches the SecurityEvent table for records that contain the phrase "Cryptographic." Of those records, 10 records are returned and displayed. They're better suited for finding records that include a specific value in any of their columns: search in (SecurityEvent) "Cryptographic"
The command would still be valid, but it could return up to 30,000 results. We could run the query even without adding | take 10. Following the pipe is the take command, which returns a specific number of arbitrary records from the table.You can add any number of piped elements. The pipe (|) character separates commands, so the output of the first command is the input of the next.The query starts with the table name SecurityEvent, which defines the scope of the query.This common way to get a glance at a table helps you to understand its structure and content.
The preceding query returns 10 results from the SecurityEvent table, in no specific order.
Identify a table that you're interested in, and then take a look at a bit of data: SecurityEvent All tables and columns are shown on the schema pane in Log Analytics in the Analytics portal. Table-based queriesĪzure Monitor organizes log data in tables, each composed of multiple columns. When you use names of tables or columns in a query, be sure to use the correct case, as shown on the schema pane. Language keywords are usually written in lowercase. KQL, which is used by Azure Monitor, is case sensitive.
0 kommentar(er)
