Added RuleMigration folder and files
This commit is contained in:
JeremyT
Родитель
117ea00c7b
Коммит
1fe26fd7de
|
|
@ -0,0 +1,46 @@
|
|||
<h1>Sample Rule Mapping between ArcSight/QRadar and Azure Sentinel</h1>
|
||||
<br />
|
||||
<h2>ArcSight</h2>
|
||||
<br />
|
||||
|
||||
| <sub>**No.**<sub/> |<sub>**Type**<sub/> |<sub>**Sample Detection Rule**<sub/> | <sub>**Sample KQL**<sub/> |<sub>**Reference**<sub/> |
|
||||
|----- |-------------- |--------------------------------------------- |------------ |---------------- |
|
||||
|<sub>1. <sub/> |<sub>**Filter** (and)<sub/>| <img src="media/caf5e11a5e0d7ed6dcc675c0caaaf7aa.png"> | <br/><pre><sub>SecurityEvent<br/>\| where EventID == 4728<br/>\| where SubjectUserName =~ "AutoMatedService"<br/>\| where isnotempty(SubjectDomainName)</sub></pre><sub> This assumes that the Windows Security Events are collected via MMA/AMA.<br/>Hence, we are using SecurityEvent table in Azure Sentinel.<br/><br/>**Note:** <br/> - Avoid case-insensitive operators (=~) when possible for query optimization. <br/> - Use (==) if the value is not case-sensitive.<br/> - Order the filters by starting with the 'where' statement that filter out the most data.<br/><br/></sub> | <sub>- [String Operators](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators#operators-on-strings)<br/>- [Numerical Operators](https://docs.microsoft.com/azure/data-explorer/kusto/query/numoperators)<br/>- [ago](https://docs.microsoft.com/azure/data-explorer/kusto/query/agofunction)<br/>- [Datetime](https://docs.microsoft.com/azure/data-explorer/kusto/query/datetime-timespan-arithmetic)<br/>- [between](https://docs.microsoft.com/azure/data-explorer/kusto/query/betweenoperator)<br/>- [now](https://docs.microsoft.com/azure/data-explorer/kusto/query/nowfunction)<br/>- [parse](https://docs.microsoft.com/azure/data-explorer/kusto/query/parseoperator)<br/>- [extract](https://docs.microsoft.com/azure/data-explorer/kusto/query/extractfunction)<br/>- [parse_json](https://docs.microsoft.com/azure/data-explorer/kusto/query/parsejsonfunction)<br/>- [parse_csv](https://docs.microsoft.com/azure/data-explorer/kusto/query/parsecsvfunction)<br/>- [parse_path](https://docs.microsoft.com/azure/data-explorer/kusto/query/parsepathfunction)<br/>- [parse_url](https://docs.microsoft.com/azure/data-explorer/kusto/query/parseurlfunction) </sub>
|
||||
|<sub>2.<sub/> | <sub>**Filter** (or) <sub/> | <img src="media/cf7c4ef2bf29e136988353de1355bec2.png"> |<sub>***Option 1: Use 'in'***<br/><pre>SecurityEvent<br/>\| where SubjectUserName in<br/> ("Adm1","ServiceAccount1","AutomationServices")</pre><br/>***Option 2: Use 'or'***<br/><pre>SecurityEvent<br/>\| where SubjectUserName == "Adm1" or <br/>SubjectUserName == "ServiceAccount1" or <br/>SubjectUserName == "AutomationServices"</pre>***Note:***<br/>Both options are identical in performance, but Option 1 is preferred as it is more user-readable.<br/><br/></sub> | <sub>- [String Operators](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators#operators-on-strings)<br/>- [in](https://docs.microsoft.com/azure/data-explorer/kusto/query/inoperator) </sub>
|
||||
|<sub>3.<sub/> | <sub>**Nested Filter**<sub/> | <br/><br/><br/><sub>__"/All Filters/Soc Filters/Exclude Valid Users":__<br/><br/><sub/>  | <sub>***Option 1: Direct filter with "where" statement***<br/><br/><pre>SecurityEvent<br/>\| where EventID == 4728 <br/>\| where isnotempty(SubjectDomainName) or <br/>isnotempty(TargetDomainName) <br/>\| where SubjectUserName !\~ "AutoMatedService"</pre><br/><br/>***Option 2: Use KQL function***<br/><br/> 1. Save the following query as KQL function with the alias of "ExcludeValidUsers".<br/><pre>SecurityEvent<br/>\| where EventID == 4728<br/>\| where isnotempty(SubjectDomainName)<br/>\| where SubjectUserName =\~ "AutoMatedService"<br/>\| project SubjectUserName</pre>2. After that, use the following query to filter "ExcludeValidUsers"<br/><pre>SecurityEvent<br/>\| where EventID == 4728<br/>\| where isnotempty(SubjectDomainName) or <br/>isnotempty(TargetDomainName)<br/>\| where SubjectUserName !in (ExcludeValidUsers)</pre><br/>***Option 3: Use parameter function***<br/><br/> 1. Create a parameter function with the name and alias of “ExcludeValidUsers”.<br/> 2. Define the parameters of the function. For example,<br/><pre>Tbl: (TimeGenerated:datatime, Computer:string, <br/>EventID:string, SubjectDomainName:string, <br/>TargetDomainName:string, SubjectUserName:string)</pre> 3. The parameter function has the following query:<pre>Tbl<br/>\| where SubjectUserName !\~ "AutoMatedService"</pre> 4. Invoke the parameter function with the following query:<br/> <pre>let Events = (<br/>SecurityEvent <br/>\| where EventID == 4728<br/>);<br/>ExcludeValidUsers(Events)</pre><br/>***Option 4: Use Join***<br/><br/>Least preferred option. Avoid using 'join' when it can be done with other options.<br/><pre>let events = (<br/>SecurityEvent<br/>\| where EventID == 4728<br/>\| where isnotempty(SubjectDomainName) <br/>or isnotempty(TargetDomainName)<br/>);<br/>let ExcludeValidUsers = (<br/>SecurityEvent<br/>\| where EventID == 4728<br/>\| where isnotempty(SubjectDomainName)<br/>\| where SubjectUserName =\~ "AutoMatedService"<br/>);<br/>events<br/>\| join kind=leftanti ExcludeValidUsers on <br>\$left.SubjectUserName == \$right.SubjectUserName</pre><br/>***Note:***<br/>- Avoid case-insensitive operators (=\~ and !\~) when possible for query optimization. Use (== and !=) if the value is not case-sensitive.<br/>- Option 1 is preferred due to its simplicity while Option 4 is the least preferred option. Avoid using 'join' when it can be done with other options for better performance.<br/><br/><sub/> |<sub>- [Sample KQL function.](https://techcommunity.microsoft.com/t5/azure-sentinel/using-kql-functions-to-speed-up-analysis-in-azure-sentinel/ba-p/712381)<br/>- [Sample Parameter function.](../../../Downloads/Enriching%20Windows%20Security%20Events%20with%20Parameterized%20Function%20-%20Microsoft%20Tech%20Community)<br/>- [Join](https://docs.microsoft.com/azure/data-explorer/kusto/query/joinoperator?pivots=azuredataexplorer)<br/>- [where](https://docs.microsoft.com/azure/data-explorer/kusto/query/whereoperator)</sub>
|
||||
|<sub>4.<sub/> | <sub>**Active list** (Lookup)<sub/> |  |<sub>This assumes the Watchlist 'Cyber-Ark Exception Accounts' has been created in Azure Sentinel with an 'Account' field.<br/><br/><pre>let Activelist=(<br/>\_GetWatchlist('Cyber-Ark Exception Accounts')<br/>\| project Account );<br/>CommonSecurityLog<br/>\| where DestinationUserName in (Activelist)<br/>\| where DeviceVendor == "Cyber-Ark"<br/>\| where DeviceAction == "Get File Request"<br/>\| where DeviceCustomNumber1 != ""<br/>\| project DeviceAction, DestinationUserName, <br/>TimeGenerated,SourceHostName, <br/>SourceUserName, DeviceEventClassID</pre>**Note:**<br/>Order the filters by starting with the 'where' statement that filter out the most data.<br/><sub/>| <sub>Watchlist is the "Active list" equivalent feature in Azure Sentinel.<br/>Learn more about Watchlist with the following link:<br/>- [Watchlist](https://docs.microsoft.com/azure/sentinel/watchlists)<br/><br/>Watchlist is just one of the methods to implement lookups.<br/>Refer to the below blog post for more options:<br/>- [Implementing Lookups in Azure Sentinel](https://techcommunity.microsoft.com/t5/azure-sentinel/implementing-lookups-in-azure-sentinel/ba-p/1091306)<sub/>
|
||||
|<sub>5.<sub/> | <sub>**Correlation** <br/>(Match a rule condition against a set of base events)<sub/> |  | <sub><pre>let event1 =(<br/>SecurityEvent<br/>\| where EventID == 4728<br/>);<br/>let event2 =(<br/>SecurityEvent<br/>\| where EventID == 4729<br/>);<br/>event1<br/>\| join kind=inner event2 <br/>on \$left.TargetUserName==\$right.TargetUserName</pre>**Note:**<br/>For optimization, make sure the smaller table is on the left side of the join. Also, if the left side is relatively small (up to 100K records), add `hint.strategy=broadcast` for better performance.<sub/> | <sub>Join:<br/>- [Join](https://docs.microsoft.com/azure/data-explorer/kusto/query/joinoperator?pivots=azuredataexplorer)<br/>- [Time Window Join](https://docs.microsoft.com/azure/data-explorer/kusto/query/join-timewindow)<br/>- [Shuffle](https://docs.microsoft.com/azure/data-explorer/kusto/query/shufflequery)<br/>- [Broadcast](https://docs.microsoft.com/azure/data-explorer/kusto/query/broadcastjoin)<br/>- [Union](https://docs.microsoft.com/azure/data-explorer/kusto/query/unionoperator?pivots=azuredataexplorer)<br/><br/>Define statement:<br/>- [let](https://docs.microsoft.com/azure/data-explorer/kusto/query/letstatement)<br/><br/> Aggregation:<br/>- [make_set](https://docs.microsoft.com/azure/data-explorer/kusto/query/makeset-aggfunction)<br/>- [make_list](https://docs.microsoft.com/azure/data-explorer/kusto/query/makelist-aggfunction)<br/>- [make_bag](https://docs.microsoft.com/azure/data-explorer/kusto/query/make-bag-aggfunction)<br/>- [pack](https://docs.microsoft.com/azure/data-explorer/kusto/query/packfunction)<sub/>
|
||||
|<sub>6.<sub/> | <sub>**Correlation** (Time Window Filter)<sub/> |  |<sub><pre>let waittime = 10m;<br/>let lookback = 1d;<br/>let event1 = (<br/>SecurityEvent<br/>\| where TimeGenerated \> ago(waittime+lookback)<br/>\| where EventID == 4728<br/>\| project event1_time = TimeGenerated, <br/>event1_ID = EventID, event1_Activity= Activity, <br/>event1_Host = Computer, TargetUserName, <br/>event1_UPN=UserPrincipalName, <br/>AccountUsedToAdd = SubjectUserName <br/>);<br/>let event2 = (<br/>SecurityEvent<br/>\| where TimeGenerated \> ago(waittime)<br/>\| where EventID == 4729<br/>\| project event2_time = TimeGenerated, <br/>event2_ID = EventID, event2_Activity= Activity, <br/>event2_Host= Computer, TargetUserName, <br/>event2_UPN=UserPrincipalName,<br/> AccountUsedToRemove = SubjectUserName <br/>);<br/> event1<br/>\| join kind=inner event2 on TargetUserName<br/>\| where event2_time - event1_time \< lookback<br/>\| where tolong(event2_time - event1_time ) \>=0<br/>\| project delta_time = event2_time - event1_time,<br/> event1_time, event2_time,<br/> event1_ID,event2_ID,event1_Activity,<br/> event2_Activity, TargetUserName, AccountUsedToAdd,<br/> AccountUsedToRemove,event1_Host,event2_Host, <br/> event1_UPN,event2_UPN</pre><sub/>|<sub>- [Join](https://docs.microsoft.com/azure/data-explorer/kusto/query/joinoperator?pivots=azuredataexplorer)<br/>- [Azure Sentinel Correlation Rules : Join](https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-correlation-rules-the-join-kql-operator/ba-p/1041500)<sub/>
|
||||
|<sub>7.<sub/> | <sub>**Aggregation**<sub/> |  | <sub><pre>SecurityEvent<br/>\| summarize Count = count() by SubjectUserName, <br/>SubjectDomainName<br/>\| where Count \>3</pre><sub/> |<sub>- [summarize](https://docs.microsoft.com/azure/data-explorer/kusto/query/summarizeoperator)<sub/>
|
||||
|
||||
<br />
|
||||
<br />
|
||||
<br />
|
||||
<br />
|
||||
<h2>QRadar</h2>
|
||||
<br />
|
||||
|
||||
| <sub>**No.**<sub/> |<sub>**Type**<sub/> |<sub>**Sample Detection Rule**<sub/> | <sub>**Sample KQL**<sub/> |<sub>**Reference**<sub/> |
|
||||
|----- |-------------- |--------------------------------------------- |------------ |---------------- |
|
||||
|<sub>1.<sub/> | <sub>**Common Property Tests**<sub/> |<sub> Syntax:<sub/> | <sub>See below for each statement separately:<sub/> | |
|
||||
| | | <sub>and when any of **\<these properties\>** match **\<this regular expression\>**</br>Example:<sub/>  |<sub><pre>CommonSecurityLog</br>\| where tostring(SourcePort)<br/> matches regex @"\\d{1,5}" <br/>or tostring(DestinationPort) <br/>matches regex @"\\d{1,5}"</pre><sub/>|<sub>- [matches</br>regex](https://docs.microsoft.com/azure/data-explorer/kusto/query/re2)<sub/>|
|
||||
| | | <sub>and when the event matches \<**this\>** AQL filter query</br>Example:<sub/>  |<sub><pre>CommonSecurityLog</br>\| where SourceIP == '10.1.1.10'</pre><sub/>|<sub>- [String Operators](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators#operators-on-strings)<sub/> |
|
||||
| | | <sub>and when **\<this property\> \<equals/not equals\> \<this property\>**</br>Example:<sub/>  |<sub><pre>CommonSecurityLog</br>\| where SourceIP == DestinationIP</pre><sub/> |<sub>- [String Operators](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators#operators-on-strings)<sub/>
|
||||
|<sub>2.<sub/> | <sub>**Date/Time Tests**<sub/> |<sub>Syntax:<sub/>  | <sub>See below for each statement separately:<sub/> |<sub>- [Date/time operations](https://docs.microsoft.com/azure/data-explorer/kusto/query/samples?pivots=azuremonitor#date-and-time-operations)<sub/> |
|
||||
| | | <sub>and when the event(s) occur \<**on/after/before\>** the \<**selected\>** day of the month</br>Example:<sub/>  |<sub><pre>SecurityEvent</br>\| where dayofmonth(TimeGenerated)\<4</pre><sub/>|<sub>- [dayofmonth()](https://docs.microsoft.com/azure/data-explorer/kusto/query/dayofmonthfunction)<sub/> |
|
||||
| | |<sub> and when the event(s) occur on any of \<**these days of the week{Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday}**\></br>Example:<sub/>  | <sub><pre>SecurityEvent</br>\| where dayofweek(TimeGenerated)</br>between (3d .. 5d)</pre><sub/>|<sub>- [dayofweek()](https://docs.microsoft.com/azure/data-explorer/kusto/query/dayofweekfunction)<sub/> |
|
||||
| | | <sub>and when the event(s) occur \<**after/before/at\> \<this time{12.00AM, 12.05AM, ...11.50PM, 11.55PM}**\></br>Example:<sub/>  |<sub><pre>SecurityEvent</br>\| where format_datetime(TimeGenerated,</br>'HH:mm')=="23:55"</pre> **Note:** TimeGenerated is in UTC/GMT<sub/> |<sub>- [format_</br>datetime](https://docs.microsoft.com/azure/data-explorer/kusto/query/format-datetimefunction) <sub/>
|
||||
|<sub>3.<sub/> | <sub>**Event property Tests**<sub/> |  | <sub>See below for each statement separately:<sub/> | |
|
||||
| | | <sub> and when the IP protocol is one of the following **\<protocols\>**</br>Example:<sub/> |<sub><pre>CommonSecurityLog</br>\| where Protocol in ("UDP","ICMP")</pre><sub/>|<sub>- [String Operators](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators#operators-on-strings)<sub/>|
|
||||
| | |<sub> and when the Event Payload contains **\<this string**\></br>Example:<sub/> |<sub><pre>CommonSecurityLog</br>\| where DeviceVendor has "Palo Alto"</pre>**Note:**</br>Avoid using "[search()](https://docs.microsoft.com/azure/data-explorer/kusto/query/searchoperator?pivots=azuredataexplorer)" command if you already know the table name as it is not performance optimized. <sub/> |<sub>- [has](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators)<sub/>
|
||||
|<sub>4.<sub/> |<sub>**Functions - Counters**<sub/> |  | <sub>See below for each statement separately:<sub/> | |
|
||||
| | | <sub> and when at least **\<this many\>** events are seen with the same **\<event properties\>** in **\<this many\> \<minutes\>**</br>Example: <sub/> |<sub><pre>CommonSecurityLog</br>\| summarize Count = count() <br/>by SourceIP, DestinationIP</br>\| where Count \>= 5</pre><sub/>|<sub>- [summarize](https://docs.microsoft.com/azure/data-explorer/kusto/query/summarizeoperator)<sub/>
|
||||
|<sub>5.<sub/> |<sub>**Functions - Negative**<sub/> |  | <sub>See below for each statement separately:<sub/> | |
|
||||
| | | <sub>and when none of **\<these rules\>** match in **\<this many\> \<minutes\>** after **\<these rules\>** match with the same **\<event properties\>**</br>Example:   Example using the rules defined above: <sub/> |<sub><pre>let spanoftime = 10m;</br>let Test2 = (</br> CommonSecurityLog</br>\| where Protocol !in ("UDP","ICMP")</br>\| where TimeGenerated \></br>ago(spanoftime)</br>);</br>let Test6 = (</br> CommonSecurityLog</br>\| where SourceIP == DestinationIP</br>);</br>Test2</br>\| join kind=rightanti Test6 on </br>\$left.SourceIP == \$right.SourceIP </br>and \$left.Protocol ==\$right.Protocol</pre><sub>|<sub>- [join()](https://docs.microsoft.com/azure/data-explorer/kusto/query/joinoperator?pivots=azuredataexplorer)<br/>- [String Operators](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators#operators-on-strings)<br/>- [Numerical Operators](https://docs.microsoft.com/azure/data-explorer/kusto/query/numoperators)<sub/>
|
||||
|<sub>6.<sub/> |<sub>**Functions – Simple**<sub/> |  |<sub>See below for each statement separately:<sub/> | |
|
||||
| || <sub>and when an event matches **\<any\|all\>** of the following **\<rules\>**</br>Example: <sub/> |<sub><pre>CommonSecurityLog</br>\| where Protocol !in ("UDP","ICMP") </br>or SourceIP == DestinationIP</pre><sub/>|<sub>- [or](https://docs.microsoft.com/azure/data-explorer/kusto/query/logicaloperators)<sub/>
|
||||
|<sub>7.<sub/> |<sub>**IP / Port Tests**<sub/> |  |<sub>See below for each statement separately:<sub/> | |
|
||||
| | | <sub>and when the source port is one of the following **\<ports\>**</br>Example: <sub/> |<sub><pre>CommonSecurityLog</br>\| where SourcePort == 20</pre><sub/>|<sub>- [String Operators](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators#operators-on-strings)<sub/>|
|
||||
| | | <sub>and when the source IP is one of the following **\<IP addresses\>**</br>Example: <sub/> |<sub><pre>CommonSecurityLog</br>\| where SourceIP in</br>("10.1.1.1","10.2.2.2")</pre><sub/>|<sub>- [String Operators](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators#operators-on-strings)<sub/>
|
||||
|<sub>8.<sub/> |<sub>**Log Source Tests**<sub/> |  |<sub>See below for each statement separately:<sub/> | |
|
||||
| | | <sub>and when the event(s) were detected by one or more of these **\<log source types\>**</br>Example: <sub/> | <sub><pre>OfficeActivity</br>\| where OfficeWorkload == "Exchange"</pre><sub/>|<sub>- [String Operators](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators#operators-on-strings)<sub/>
|
||||
|
|
@ -0,0 +1,114 @@
|
|||
|
||||
<h2><u>Common Search Commands</u></h2>
|
||||
<br />
|
||||
|
||||
<sub>**SPL Command** | <sub>**Description** | <sub>**SPL Example** | <sub>**KQL** | <sub>**KQL Example** |
|
||||
--- | --- | --- | --- | --- |
|
||||
<sub>**chart/ timechart** | <sub>Returns results in a tabular output for (time-series) charting. | |<sub>[render](https://docs.microsoft.com/azure/data-explorer/kusto/query/renderoperator?pivots=azuredataexplorer) |<sub><pre> … \| render timechart</pre>
|
||||
<sub>**dedup** | <sub>Removes subsequent results that match a specified criterion. | |<sub>[distinct](https://docs.microsoft.com/azure/data-explorer/kusto/query/distinctoperator) <br /> [summarize](https://docs.microsoft.com/azure/data-explorer/kusto/query/summarizeoperator)<sub/> | <sub><pre>… \| summarize by Computer, EventID </pre>
|
||||
<sub>**eval** | <sub>Calculates an expression.<br />See [Common Eval Commands](#common-eval-commands) for more Eval Commands. | | <sub>[extend](https://docs.microsoft.com/azure/data-explorer/kusto/query/extendoperator) | <sub><pre>T \| extend duration = endTime - startTime</pre>
|
||||
<sub>**fields** | <sub>Removes fields from search results. | |<sub> [project](https://docs.microsoft.com/azure/data-explorer/kusto/query/projectoperator) <br /> [project-away](https://docs.microsoft.com/azure/data-explorer/kusto/query/projectawayoperator) |<sub> <pre>T \| project cost=price*quantity, price</pre>
|
||||
<sub>**head/tail** |<sub> Returns the first/last N results. | | <sub>[top](https://docs.microsoft.com/azure/data-explorer/kusto/query/topoperator) |<sub> <pre> T \| top 5 by Name desc nulls last </pre>
|
||||
<sub>**lookup** | <sub>Adds field values from an external source. | | <sub>[externaldata](https://docs.microsoft.com/azure/data-explorer/kusto/query/externaldata-operator?pivots=azuredataexplorer) <br /> [lookup](https://docs.microsoft.com/azure/data-explorer/kusto/query/lookupoperator) | <sub><pre> Users <br /> \| where UserID in ((externaldata (UserID:string) [<br /> @"https://storageaccount.blob.core.windows.net/<br />storagecontainer/users.txt" <br /> h@"?...SAS..." // Secret token to access the blob <br /> ])) \| ... </pre>
|
||||
<sub>**rename** |<sub> Renames a field. Use wildcards to specify multiple fields. | | <sub>[project-rename](https://docs.microsoft.com/azure/data-explorer/kusto/query/projectrenameoperator) |<sub> <pre> T \| project-rename new_column_name = column_name </pre>
|
||||
<sub>**rex** | <sub>Specifies regular expression named groups to extract fields. | | <sub>[matches regex](https://docs.microsoft.com/azure/data-explorer/kusto/query/re2) | <sub><pre>… \| where field matches regex "^addr.*" </pre>
|
||||
<sub>**search** |<sub> Filters results to those that match the search expression. | | <sub>[search](https://docs.microsoft.com/azure/data-explorer/kusto/query/searchoperator?pivots=azuredataexplorer) | <sub><pre>search "X"</pre>
|
||||
<sub>**sort** | <sub>Sorts the search results by the specified fields. | | <sub>[sort](https://docs.microsoft.com/azure/data-explorer/kusto/query/sortoperator) | <sub><pre> T \| sort by strlen(country) asc, price desc </pre>
|
||||
<sub>**stats** | <sub>Provides statistics, grouped optionally by fields.<br />See [Common Stats Commands](#common-stats-commands) for more Stats Commands. | | <sub>[summarize](https://docs.microsoft.com/azure/data-explorer/kusto/query/summarizeoperator) | <sub><pre>Sales <br />\| summarize NumTransactions=count(), <br />Total=sum(UnitPrice * NumUnits) by Fruit, <br />StartOfMonth=startofmonth(SellDateTime) </pre>
|
||||
<sub>**mstats** | <sub>Similar to stats but used on metrics instead of events. | | <sub>[summarize](https://docs.microsoft.com/azure/data-explorer/kusto/query/summarizeoperator) | <sub><pre> T <br />\| summarize count() by price_range=bin(price, 10.0) </pre>
|
||||
<sub>**table** | <sub>Specifies fields to keep in the result set. Retains data in tabular format. | | <sub>[project](https://docs.microsoft.com/azure/data-explorer/kusto/query/projectoperator) | <sub><pre>T \| project columnA, columnB</pre>
|
||||
<sub>**top/rare** | <sub>Displays the most/least common values of a field. | | <sub>[top](https://docs.microsoft.com/azure/data-explorer/kusto/query/topoperator) | <sub><pre>T \| top 5 by Name desc nulls last </pre>
|
||||
<sub>**transaction** | <sub>Groups search results into transactions. | <sub>sourcetype=MyLogTable type=Event<br />\| transaction ActivityId startswith="Start" endswith="Stop"<br />\| Rename timestamp as StartTime<br />\| Table City, ActivityId, StartTime, Duration | <sub>Refer to example <br /><br />[row_window_session](https://docs.microsoft.com/azure/data-explorer/kusto/query/row-window-session-function) | <sub><pre>let Events = MyLogTable \| where type=="Event";<br />Events<br />\| where Name == "Start"<br />\| project Name, City, ActivityId, StartTime=timestamp<br />\| join (Events<br />\| where Name == "Stop"<br />\| project StopTime=timestamp, ActivityId)<br />on ActivityId<br />\| project City, ActivityId, StartTime, <br />Duration = StopTime – StartTime</pre><br />***Note:***<br /> Use ***row_window_session()*** if you need to calculate session start values of a column in a serialized row set.<br /><pre>...\| extend SessionStarted = row_window_session(<br />Timestamp, 1h, 5m, ID != prev(ID))</pre>
|
||||
<sub>**eventstats** | <sub>Generates summary statistics from fields in your events and saves those statistics in a new field. | <sub>… \| bin span=1m _time<br />\|stats count AS count_i by _time, category <br />\| eventstats sum(count_i) as count_total by _time | <sub>[join](https://docs.microsoft.com/azure/data-explorer/kusto/query/joinoperator?pivots=azuredataexplorer)<br />[make_list](https://docs.microsoft.com/azure/data-explorer/kusto/query/makelist-aggfunction)<br />[mv-expand](https://docs.microsoft.com/azure/data-explorer/kusto/query/mvexpandoperator) <br /><br />Refer to examples<br /> | <sub>**Example 1 - Using join:**<br /><pre>let binSize = 1h;<br />let detail = SecurityEvent <br />\| summarize detail_count = count() by EventID,<br />tbin = bin(TimeGenerated, binSize);<br />let summary = SecurityEvent<br />\| summarize sum_count = count() by <br />tbin = bin(TimeGenerated, binSize);<br />detail <br />\| join kind=leftouter (summary) on tbin <br />\| project-away tbin1</pre> Or <br /><br />**Example 2 - Using make_list:**<br /><pre>let binSize = 1m;<br />SecurityEvent<br />\| where TimeGenerated >= ago(24h)<br />\| summarize TotalEvents = count() by EventID, <br />groupBin =bin(TimeGenerated, binSize)<br />\|summarize make_list(EventID), make_list(TotalEvents), <br />sum(TotalEvents) by groupBin<br />\| mvexpand list_EventID, list_TotalEvents</pre>
|
||||
<sub>**streamstats** | <sub>Find the cumulative sum of a field. | <sub>... \| streamstats sum(bytes) as bytes _ total \| timechart |<sub>[row_cumsum](https://docs.microsoft.com/azure/data-explorer/kusto/query/rowcumsumfunction) |<sub>...\| serialize cs=row_cumsum(bytes)
|
||||
<sub>**anomalydetection** |<sub> Find anomalies in the specified field. | <sub>sourcetype=nasdaq earliest=-10y <br />\| anomalydetection Close _ Price | <sub>[series_decompose_<br />anomalies()](https://docs.microsoft.com/azure/data-explorer/kusto/query/series-decompose-anomaliesfunction) | <sub><pre>let LookBackPeriod= 7d;<br />let disableAccountLogon=SignIn<br />\| where ResultType == "50057"<br />\| where ResultDescription has "account is disabled";<br />disableAccountLogon<br />\| make-series Trend=count() default=0 on TimeGenerated <br />in range(startofday(ago(LookBackPeriod)), now(), 1d)<br />\| extend (RSquare,Slope,Variance,RVariance,Interception,<br />LineFit)=series_fit_line(Trend)<br />\| extend (anomalies,score) = <br />series_decompose_anomalies(Trend)</pre>
|
||||
<sub>**where** | <sub>Filters search results using eval expressions. Used to compare two different fields. | | <sub>[where](https://docs.microsoft.com/azure/data-explorer/kusto/query/whereoperator) | <sub><pre>T \| where fruit=="apple"</pre>
|
||||
|
||||
<br />
|
||||
<br />
|
||||
<br />
|
||||
|
||||
<h2><u>Common Eval Commands</u></h2>
|
||||
<br />
|
||||
|
||||
<sub>**SPL Command** | <sub>**Description** | <sub>**SPL Example** | <sub>**KQL** | <sub>**KQL Example** |
|
||||
--- | --- | --- | --- | --- |
|
||||
<sub>**abs(X)** | <sub>Returns the absolute value of X. | <sub>abs(number) | <sub>[abs()](https://docs.microsoft.com/azure/data-explorer/kusto/query/abs-function) | <sub><pre>abs(X)</pre>
|
||||
<sub>**case(X,"Y",…)** | <sub>Takes pairs of arguments X and Y, where X arguments are Boolean expressions. <br />When evaluated to TRUE, the arguments return the corresponding Y argument. | <sub>case(error == 404, "Not found", <br />error == 500,"Internal Server Error", <br />error == 200, "OK") | <sub>[case](https://docs.microsoft.com/azure/data-explorer/kusto/query/casefunction) | <sub><pre>T<br />\| extend Message = case(error == 404, "Not found", <br />error == 500,"Internal Server Error", "OK") </pre>
|
||||
<sub>**ceil(X)** | <sub>Ceiling of a number X. | <sub>ceil(1.9) | <sub>[ceiling()](https://docs.microsoft.com/azure/data-explorer/kusto/query/ceilingfunction) | <sub><pre>ceiling(1.9)</pre>
|
||||
<sub>**cidrmatch("X",Y)** | <sub>Identifies IP addresses that belong to a particular subnet. | <sub>cidrmatch("123.132.32.0/25",ip) | <sub>[ipv4_is_match()](https://docs.microsoft.com/azure/data-explorer/kusto/query/ipv4-is-matchfunction)<br />[ipv6_is_match()](https://docs.microsoft.com/azure/data-explorer/kusto/query/ipv6-is-matchfunction) | <sub><pre>ipv4_is_match('192.168.1.1', '192.168.1.255')<br />== false</pre>
|
||||
<sub>**coalesce(X,…)** | <sub>Returns the first value that is not null. | <sub>coalesce(null(), "Returned val", null()) | <sub>[coalesce()](https://docs.microsoft.com/azure/data-explorer/kusto/query/coalescefunction) | <sub><pre>coalesce(tolong("not a number"), tolong("42"),<br />33) == 42</pre>
|
||||
<sub>**cos(X)** | <sub>Calculates the cosine of X. | <sub>n=cos(0) | <sub>[cos()](https://docs.microsoft.com/azure/data-explorer/kusto/query/cosfunction) | <sub><pre>cos(X)</pre>
|
||||
<sub>**exact(X)** | <sub>Evaluates an expression X using double precision floating point arithmetic. | <sub>exact(3.14*num) | <sub>[todecimal()](https://docs.microsoft.com/azure/data-explorer/kusto/query/todecimalfunction) | <sub><pre>todecimal(3.14*2)</pre>
|
||||
<sub>**exp(X)** | <sub>Returns eX. | <sub>exp(3) | <sub>[exp()](https://docs.microsoft.com/azure/data-explorer/kusto/query/exp-function) | <sub><pre>exp(3)</pre>
|
||||
<sub>**if(X,Y,Z)** | <sub>If X evaluates to TRUE, the result is the second argument Y. <br />If X evaluates to FALSE, the result evaluates to the third argument Z. | <sub>if(error==200, "OK", "Error") | <sub>[iif()](https://docs.microsoft.com/azure/data-explorer/kusto/query/iiffunction) | <sub><pre>iif(floor(Timestamp, 1d)==floor(now(), 1d), <br />"today", "anotherday")</pre>
|
||||
<sub>**isbool(X)** | <sub>Returns TRUE if X is Boolean. | <sub>isbool(field) | <sub>[iif()](https://docs.microsoft.com/azure/data-explorer/kusto/query/iiffunction) <br /> [gettype()](https://docs.microsoft.com/azure/data-explorer/kusto/query/gettypefunction) | <sub><pre>iif(gettype(X) =="bool","TRUE","FALSE")</pre>
|
||||
<sub>**isint(X)** | <sub>Returns TRUE if X is Integer. | <sub>isint(field) | <sub>[iif()](https://docs.microsoft.com/azure/data-explorer/kusto/query/iiffunction) <br /> [gettype()](https://docs.microsoft.com/azure/data-explorer/kusto/query/gettypefunction) | <sub><pre>iif(gettype(X) =="long","TRUE","FALSE")</pre>
|
||||
<sub>**isnull(X)** | <sub>Returns TRUE if X is NULL. | <sub>isnull(field) | <sub>[isnull()](https://docs.microsoft.com/azure/data-explorer/kusto/query/isnullfunction) | <sub><pre>isnull(field)</pre>
|
||||
<sub>**isstr(X)** | <sub>Returns TRUE if X is String. | <sub>isstr(field) | <sub>[iif()](https://docs.microsoft.com/azure/data-explorer/kusto/query/iiffunction) <br /> [gettype()](https://docs.microsoft.com/azure/data-explorer/kusto/query/gettypefunction) | <sub><pre>iif(gettype(X) =="string","TRUE","FALSE")</pre>
|
||||
<sub>**len(X)** | <sub>This function returns the character length of a string X. | <sub>len(field) | <sub>[strlen()](https://docs.microsoft.com/azure/data-explorer/kusto/query/strlenfunction) | <sub><pre>strlen(field)</pre>
|
||||
<sub>**like(X,"y")** | <sub>Returns TRUE if and only if X is like the SQLite pattern in Y. | <sub>like(field, "addr%") | <sub>[has](https://docs.microsoft.com/azure/data-explorer/kusto/query/has-anyoperator) <br />[contains](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators) <br /> [startswith](https://docs.microsoft.com/azure/data-explorer/kusto/query/datatypes-string-operators) <br /> [matches regex](https://docs.microsoft.com/azure/data-explorer/kusto/query/re2) | <sub><br /><pre>… \| where field has "addr"</pre><br /><pre>… \| where field contains "addr"</pre><br /><pre>… \| where field startswith "addr"</pre><br /><pre>… \| where field matches regex "^addr.*"</pre>
|
||||
<sub>**log(X,Y)** | <sub>Returns the log of the first argument X using the second argument Y as the base. <br />Y defaults to 10. | <sub>log(number,2) | <sub>[log](https://docs.microsoft.com/azure/data-explorer/kusto/query/log-function) <br /> [log2](https://docs.microsoft.com/azure/data-explorer/kusto/query/log2-function) <br /> [log10](https://docs.microsoft.com/azure/data-explorer/kusto/query/log10-function) | <sub><pre>log(X)</pre><pre>log2(X)</pre><pre>log10(X)</pre>
|
||||
<sub>**lower(X)** | <sub>Returns the lowercase of X. | <sub>lower(username) | <sub>[tolower](https://docs.microsoft.com/azure/data-explorer/kusto/query/tolowerfunction) | <sub><pre>tolower(username)</pre>
|
||||
<sub>**ltrim(X,Y)** | <sub>Returns X with the characters in Y trimmed from the left side. <br />Y defaults to spaces and tabs. | <sub>ltrim(" ZZZabcZZ ", " Z") | <sub>[trim_start()](https://docs.microsoft.com/azure/data-explorer/kusto/query/trimstartfunction) | <sub><pre>trim_start(“ ZZZabcZZ”,” ZZZ”)</pre>
|
||||
<sub>**match(X,Y)** | <sub>Returns if X matches the regex pattern Y. | <sub>match(field, "^\d{1,3}\.\d$") | <sub>[matches regex](https://docs.microsoft.com/azure/data-explorer/kusto/query/re2) | <sub><pre>… \| where field matches regex @"^\d{1,3}\.\d$")</pre>
|
||||
<sub>**max(X,…)** | <sub>Returns the maximum value in a column. | <sub>max(delay, mydelay) | <sub>[max()](https://docs.microsoft.com/azure/data-explorer/kusto/query/max-aggfunction) <br /> [arg_max()](https://docs.microsoft.com/azure/data-explorer/kusto/query/arg-max-aggfunction) | <sub><pre>… \| summarize max(field)</pre>
|
||||
<sub>**md5(X)** | <sub>Returns the MD5 hash of a string value X. | <sub>md5(field) | <sub>[hash_md5](https://docs.microsoft.com/azure/data-explorer/kusto/query/md5hashfunction) | <sub><pre>hash_md5("X")</pre>
|
||||
<sub>**min(X,…)** | <sub>Returns the minimum value in a column. | <sub>min(delay, mydelay) | <sub>[min_of()](https://docs.microsoft.com/azure/data-explorer/kusto/query/min-offunction)<br /> [min()](https://docs.microsoft.com/azure/data-explorer/kusto/query/min-aggfunction)<br /> [arg_min](https://docs.microsoft.com/azure/data-explorer/kusto/query/arg-min-<sub>**aggfunction) | <sub><pre>min_of (expr_1, expr_2 ...)</pre><br /><pre>…\|summarize min(expr)</pre><br /><pre>…\| summarize arg_min(Price,*) by Product</pre>
|
||||
<sub>**mvcount(X)** | <sub>Returns the number of values of X. | <sub>mvcount(multifield) | <sub>[dcount](https://docs.microsoft.com/azure/data-explorer/kusto/query/dcount-aggfunction) | <sub><pre>…\| summarize dcount(X) by Y</pre>
|
||||
<sub>**mvfilter(X)** | <sub>Filters a multi-valued field based on the Boolean expression X. |<sub> mvfilter(match(email, "net$")) |<sub>[mv-apply](https://docs.microsoft.com/azure/data-explorer/kusto/query/mv-applyoperator) | <sub><pre>T \| mv-apply Metric to typeof(real) on <br />(<br /> top 2 by Metric desc<br />)</pre>
|
||||
<sub>**mvindex(X,Y,Z)** | <sub>Returns a subset of the multivalued field X from start position (zero-based) Y to Z (optional). | <sub>mvindex( multifield, 2) |<sub>[array_slice](https://docs.microsoft.com/azure/data-explorer/kusto/query/arrayslicefunction) |<sub><pre>array_slice(arr, 1, 2)</pre>
|
||||
<sub>**mvjoin(X,Y)** | <sub>Given a multi-valued field X and string delimiter Y, and joins the individual values of X using Y. | <sub>mvjoin(address, ";") |<sub>[strcat_array](https://docs.microsoft.com/azure/data-explorer/kusto/query/strcat-arrayfunction) |<sub><pre>strcat_array(dynamic([1, 2, 3]), "->")</pre>
|
||||
<sub>**now()** | <sub>Returns the current time, represented in Unix time. | <sub>now() | <sub>[now()](https://docs.microsoft.com/azure/data-explorer/kusto/query/nowfunction) |<sub><pre>now()</pre><br /><pre>now(-2d)</pre>
|
||||
<sub>**null()** | <sub>This function takes no arguments and returns NULL. | <sub>null() | <sub>[null](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/null-values?pivots=azuredataexplorer) | <sub><pre>null</pre>
|
||||
<sub>**nullif(X,Y)** | <sub>Given two arguments, fields X and Y, and returns the X if the arguments are different. Otherwise returns NULL. | <sub>nullif(fieldA, fieldB) | <sub>[iif](https://docs.microsoft.com/azure/data-explorer/kusto/query/iiffunction) | <sub><pre>iif(fieldA==fieldB, null, fieldA)</pre>
|
||||
<sub>**random()** | <sub>Returns a pseudo-random number ranging from 0 to 2147483647. | <sub>random() | <sub>[rand()](https://docs.microsoft.com/azure/data-explorer/kusto/query/randfunction) | <sub><pre>rand()</pre>
|
||||
<sub>**relative_ time(X,Y)** | <sub>Given epochtime time X and relative time specifier Y, returns the epochtime value of Y applied to X. | <sub>relative_time(now(),"-1d@d") | <sub>[unix time](https://docs.microsoft.com/azure/data-explorer/kusto/query/datetime-timespan-arithmetic#example-unix-time) | <sub><pre>let toUnixTime = (dt:datetime)<br />{<br />(dt - datetime(1970-01-01))/1s <br />};</pre>
|
||||
<sub>**replace(X,Y,Z)** | <sub>Returns a string formed by substituting string Z for every occurrence of regex string Y in string X. | <sub>Returns date with the month and day numbers switched. <br />If the input was 4/30/2015 the return value would be 30/4/2009: <br /><br />replace(date, "^(\d{1,2})/ (\d{1,2})/", "\2/\1/") | <sub>[replace()](https://docs.microsoft.com/azure/data-explorer/kusto/query/replacefunction) | <sub><pre>replace( @'^(\d{1,2})/(\d{1,2})/', @'\2/\1/',date)</pre>
|
||||
<sub>**round(X,Y)** | <sub>Returns X rounded to the amount of decimal places specified by Y. The default is to round to an integer. | <sub>round(3.5) | <sub>[round()](https://docs.microsoft.com/azure/data-explorer/kusto/query/roundfunction) | <sub><pre>round(3.5)</pre>
|
||||
<sub>**rtrim(X,Y)** | <sub>Returns X with the characters in Y trimmed from the right side. If Y is not specified, spaces and tabs are trimmed. | <sub>rtrim(" ZZZZabcZZ ", " Z") | <sub>[trim_end()](https://docs.microsoft.com/azure/data-explorer/kusto/query/trimendfunction) | <sub><pre>trim_end(@"[ Z]+",A)</pre>
|
||||
<sub>**searchmatch(X)** | <sub>Returns TRUE if the event matches the search string X. | <sub>searchmatch("foo AND bar") | <sub>[iif()](https://docs.microsoft.com/azure/data-explorer/kusto/query/iiffunction) | <sub><pre>iif(field has "X","Yes","No")</pre>
|
||||
<sub>**split(X,"Y")** | <sub>Returns X as a multi-valued field, split by delimiter Y. | <sub>split(address, ";") | <sub>[split()](https://docs.microsoft.com/azure/data-explorer/kusto/query/splitfunction) | <sub><pre>split(address, ";")</pre>
|
||||
<sub>**sqrt(X)** | <sub>Returns the square root of X. | <sub>sqrt(9) | <sub>[sqrt()](https://docs.microsoft.com/azure/data-explorer/kusto/query/sqrtfunction) | <sub><pre>sqrt(9)</pre>
|
||||
<sub>**strftime(X,Y)** | <sub>Returns epochtime value X rendered using the format specified by Y. | <sub>strftime(_time, "%H:%M") | <sub>[format_datetime()](https://docs.microsoft.com/azure/data-explorer/kusto/query/format-datetimefunction) | <sub><pre>format_datetime(time,'HH:mm')</pre>
|
||||
<sub>**strptime(X,Y)** | <sub>Given a time represented by a string X, returns value parsed from format Y. | <sub>strptime(timeStr, "%H:%M") | <sub>[format_datetime()](https://docs.microsoft.com/azure/data-explorer/kusto/query/format-datetimefunction) | <sub><pre>format_datetime(datetime('2017-08-16 11:25:10'),<br />'HH:mm')</pre>
|
||||
<sub>**substr(X,Y,Z)** | <sub>Returns a substring field X from start position (1-based) Y for Z (optional) characters. | <sub>substr("string", 1, 3) | <sub>[substring()](https://docs.microsoft.com/azure/data-explorer/kusto/query/substringfunction) | <sub><pre>substring("string", 0, 3)</pre>
|
||||
<sub>**time()** | <sub>Returns the wall-clock time with microsecond resolution. | <sub>time() | <sub>[format_datetime()](https://docs.microsoft.com/azure/data-explorer/kusto/query/format-datetimefunction) | <sub><pre>format_datetime(datetime(2015-12-14 02:03:04),<br />'h:m:s')</pre>
|
||||
<sub>**tonumber(X,Y)** | <sub>Converts input string X to a number, where Y (optional, defaults to 10) defines the base of the number to convert to. | <sub>tonumber("0A4",16) | <sub>[toint()](https://docs.microsoft.com/azure/data-explorer/kusto/query/tointfunction) | <sub><pre>toint("123")</pre>
|
||||
<sub>**tostring(X,Y)** | <sub>Returns a field value of X as a string. If the value of X is a number, it reformats it as a string.<br /><br /> If X is a Boolean value, reformats to TRUE or FALSE. If X is a number, the second argument Y is optional and can either be "hex" (convert X to hexadecimal), "commas" (formats X with commas and 2 decimal places), or "duration" (converts seconds X to readable time format HH:MM:SS). | <sub>This example returns:<br />foo=615 and foo2=00:10:15: <br /><br />… \| eval foo=615 \| eval foo2 = tostring(<br />foo, "duration") | <sub>[tostring()](https://docs.microsoft.com/azure/data-explorer/kusto/query/tostringfunction) | <sub><pre>tostring(123)</pre>
|
||||
<sub>**typeof(X)** | <sub>Returns a string representation of the field type. | <sub>typeof(12) | <sub>[gettype()](https://docs.microsoft.com/azure/data-explorer/kusto/query/gettypefunction) | <sub><pre>gettype(12)</pre>
|
||||
<sub>**urldecode(X)** | <sub>Returns the URL X decoded. | <sub>urldecode("http%3A%2F%2Fwww.<br />splunk.com%2Fdownload%3Fr%3D<br />header") | <sub>[url_decode](https://docs.microsoft.com/azure/data-explorer/kusto/query/urldecodefunction) |<sub><pre>url_decode('https%3a%2f%2fwww.bing.com%2f')</pre>
|
||||
|
||||
<br />
|
||||
<br />
|
||||
<br />
|
||||
|
||||
<h2><u>Common Stats Commands</u></h2>
|
||||
<br />
|
||||
|
||||
|
||||
<sub>**SPL Command** | <sub>**Description** | <sub>**KQL** | <sub>**KQL Example** |
|
||||
--- | --- | --- | --- |
|
||||
<sub>**avg(X)** | <sub>Returns the average of the values of field X. | <sub>[avg()](https://docs.microsoft.com/azure/data-explorer/kusto/query/avg-aggfunction) | <sub><pre>avg(X)</pre>
|
||||
<sub>**count(X)** | <sub>Returns the number of occurrences of the field X. To indicate a specific field value to match, format X as eval(field="value"). | <sub>[count()](https://docs.microsoft.com/azure/data-explorer/kusto/query/count-aggfunction) | <sub><pre>summarize count()</pre>
|
||||
<sub>**dc(X)** | <sub>Returns the count of distinct values of the field X. | <sub>[dcount()](https://docs.microsoft.com/azure/data-explorer/kusto/query/dcount-aggfunction) | <sub><pre>…\| summarize countries=dcount(country) by continent</pre>
|
||||
<sub>**earliest(X)** | <sub>Returns the chronologically earliest seen value of X. | <sub>[arg_min()](https://docs.microsoft.com/azure/data-explorer/kusto/query/arg-min-aggfunction) | <sub><pre>… \| summarize arg_min(TimeGenerated, *) by X</pre>
|
||||
<sub>**latest(X)** | <sub>Returns the chronologically latest seen value of X. | <sub>[arg_max()](https://docs.microsoft.com/azure/data-explorer/kusto/query/arg-max-aggfunction) | <sub><pre>… \| summarize arg_max(TimeGenerated, *) by X</pre>
|
||||
<sub>**max(X)** | <sub>Returns the maximum value of the field X. If the values of X are non-numeric, the max is found from alphabetical ordering. | <sub>[max()](https://docs.microsoft.com/azure/data-explorer/kusto/query/max-aggfunction) | <sub><pre>…\| summarize max(X)</pre>
|
||||
<sub>**median(X)** | <sub>Returns the middle-most value of the field X. | <sub>[percentile()](https://docs.microsoft.com/azure/data-explorer/kusto/query/percentiles-aggfunction) | <sub><pre>…\| summarize percentile(X, 50)</pre>
|
||||
<sub>**min(X)** | <sub>Returns the minimum value of the field X. If the values of X are non-numeric, the min is found from alphabetical ordering. | <sub>[min()](https://docs.microsoft.com/azure/data-explorer/kusto/query/min-aggfunction) | <sub><pre>…\| summarize min(X)</pre>
|
||||
<sub>**mode(X)** | <sub>Returns the most frequent value of the field X. | <sub>[top-hitters()](https://docs.microsoft.com/azure/data-explorer/kusto/query/tophittersoperator) | <sub><pre>…\| top-hitters 1 of Y by X</pre>
|
||||
<sub>**perc<X>(Y)** | <sub>Returns the X-th percentile value of the field Y. For example, perc5(total) returns the 5th percentile value of a field "total". | <sub>[percentile()](https://docs.microsoft.com/azure/data-explorer/kusto/query/percentiles-aggfunction) | <sub><pre>…\| summarize percentile(Y, 5)</pre>
|
||||
<sub>**range(X)** | <sub>Returns the difference between the max and min values of the field X. |<sub>[range()](https://docs.microsoft.com/azure/data-explorer/kusto/query/rangefunction) | <sub><pre>range(1, 3)</pre>
|
||||
<sub>**stdev(X)** | <sub>Returns the sample standard deviation of the field X. | <sub>[stdev](https://docs.microsoft.com/azure/data-explorer/kusto/query/stdev-aggfunction) | <sub><pre>stdev()</pre>
|
||||
<sub>**stdevp(X)** | <sub>Returns the population standard deviation of the field X. | <sub>[stdevp()](https://docs.microsoft.com/azure/data-explorer/kusto/query/stdevp-aggfunction) | <sub><pre>stdevp()</pre>
|
||||
<sub>**sum(X)** | <sub>Returns the sum of the values of the field X. | <sub>[sum()](https://docs.microsoft.com/azure/data-explorer/kusto/query/sum-aggfunction) | <sub><pre>sum(X)</pre>
|
||||
<sub>**sumsq(X)** | <sub>Returns the sum of the squares of the values of the field X. | | |
|
||||
<sub>**values(X)** |<sub> Returns the list of all distinct values of the field X as a multi-value entry. The order of the values is alphabetical. | <sub>[make_set()](https://docs.microsoft.com/azure/data-explorer/kusto/query/makeset-aggfunction) | <sub><pre>…\| summarize r = make_set(X)</pre>
|
||||
<sub>**var(X)** | <sub>Returns the sample variance of the field X. | <sub>[variance()](https://docs.microsoft.com/azure/data-explorer/kusto/query/variance-aggfunction) | <sub><pre>variance(X)</pre>
|
||||
|
||||
<br />
|
||||
<br />
|
||||
<br />
|
||||
|
||||
_The above SPL samples are based on [Splunk quick reference guide](https://www.splunk.com/pdfs/solution-guides/splunk-quick-reference-guide.pdf)_
|
||||
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 46 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 15 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 16 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 18 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 144 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 132 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 38 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 16 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 19 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 28 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 18 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 15 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 16 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 15 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 23 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 59 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 15 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 18 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 74 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 74 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 6.9 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 15 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 21 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 49 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 16 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 31 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 24 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 13 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 15 KiB |
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 32 KiB |
Загрузка…
Ссылка в новой задаче