contains ":D" | where Free_Space < 10 Can you please help me with this query, I want to make sure that, only one of instance of the computer is being monitored instead of all, for example Computer != "net-boxi1.networkhg.org.uk" and InstanceName !contains ":D" In this instance...
Using 'has' is more efficient than 'contains' as the data is indexed for you. SigninLogs | where TimeGenerated > ago(14d) | where AppDisplayName has "Teams" This will find any SigninLogs where the application display name has the word Teams in it, that could include "Microsoft Teams"...
Functions and Operators:KQL supports a variety of operators for arithmetic, comparison, logical operations, and string manipulations. It also has a rich library of functions for array processing, datetime manipulations, machine learning, etc.
This will return results where the application display name contains either "Teams" or "Outlook" SigninLogs |whereTimeGenerated >ago(14d) |whereAppDisplayName has_all ("Teams","Outlook") This will return results where the application display name has "Teams" and "Outlook". ...
SigninLogs | where TimeGenerated > ago(14d) | where AppDisplayName has_any ("Teams","Outlook")This will return results where the application display name contains either "Teams" or "Outlook"SigninLogs | where TimeGenerated > ago(14d) | where AppDisplayName has_all ("Teams","Outlook")...
Using 'has' is more efficient than 'contains' as the data is indexed for you. SigninLogs | where TimeGenerated > ago(14d) | where AppDisplayName has "Teams" This will find any SigninLogs where the application display name has the word Teams in it, that could include "Microsoft Teams"...