Skip to content

Instantly share code, notes, and snippets.

@hfleitas

hfleitas/AADay2.kql

Created January 19, 2024 17:40
Show Gist options
  • Save hfleitas/c6ad9078d4112005a5309ad75ee6a29b to your computer and use it in GitHub Desktop.
Save hfleitas/c6ad9078d4112005a5309ad75ee6a29b to your computer and use it in GitHub Desktop.
Download ZIP
AADay2.kql
Raw
AADay2.kql
// https://github.com/Azure/ADX-in-a-Day-Lab2
//5.2
.show database policies
.show table target details | project RetentionPolicy
.alter table target policy retention
```
{
"SoftDeletePeriod": "60.00:00:00",
"Recoverability": "Enabled"
}
```
.show table target details | project RetentionPolicy
//6.2
.show queries
| where User == current_principal_details().UserPrincipalName
| where StartedOn >= ago(7d)
| count
print upn=current_principal_details().UserPrincipalName;
.show running queries
//https://learn.microsoft.com/en-us/azure/data-explorer/kusto/management/queries
//6.3
.show journal | take 10
.show journal
| where Event == 'CREATE-MATERIALIZED-VIEW' and UpdatedEntityName == 'LastestTarget'
| summarize arg_max(EventTimestamp,*)
| project EventTimestamp
//6.4
.show commands
| where User == current_principal_details().UserPrincipalName
| where StartedOn >= ago(7d)
| count
// https://learn.microsoft.com/en-us/azure/data-explorer/kusto/management/commands
// 6.5
.show tables details
.show tables
| extend Comp = format_bytes(TotalExtentSize, 0, "MB")
| extend Org = format_bytes(TotalOriginalSize, 0, "MB")
| project TableName, Comp, Org
// 7.1
Logistics
| take 10
Logistics
| summarize max(Shock) by deviceId
| sort by max_Shock
| take 10
| summarize sum(max_Shock)
Logistics
| summarize max(Shock) by deviceId
| sort by max_Shock
| top 10 by max_Shock
| summarize sum(max_Shock)
Logistics
| summarize max(Shock) by deviceId
| sort by max_Shock
| top 10 by deviceId
| summarize sum(max_Shock)
let x=Logistics
| summarize max(Shock) by deviceId
| sort by max_Shock desc
| project deviceId | take 10;
Logistics
| where deviceId in (x)
| summarize avg(Temp) by deviceId;
//7.2
Logistics
| summarize count() by TransportationMode, bin(enqueuedTime,10m)
| render timechart
// 7.3
Logistics
| where enqueuedTime >=ago(90d)
| count
Logistics
| summarize max(enqueuedTime), min(enqueuedTime)
//2022-07-28T10:49:14.051Z 2022-07-26T17:53:55.543Z
Logistics
| top 10 by Temp desc
| project Location_lon, Location_lat, deviceId, enqueuedTime, Temp
| where enqueuedTime > datetime('2022-07-26T17:53:55.543Z') //ago(90d)
| render scatterchart with (kind=map, series=deviceId, enqueuedTime, Temp)
//7.5
let min_t = (toscalar(Logistics | summarize min(enqueuedTime)));
let max_t = (toscalar(Logistics | summarize max(enqueuedTime)));
let step_interval = 10m;
Logistics
| make-series avg_shock_series=avg(Shock) on (enqueuedTime) from (min_t) to (max_t) step step_interval
| extend anomalies_flags = series_decompose_anomalies(avg_shock_series, 1)
| render anomalychart with(anomalycolumns=anomalies_flags, title='avg shock anomalies')
//8.1
//build a dashboard using outputs of any 5 queries on Logistics
//Add filter on timespan
//Add filter on transportation mode
//F to C
let min_t = (toscalar(Logistics | summarize min(enqueuedTime)));
Logistics
| where enqueuedTime > min_t
| project Temp, C=(Temp-32)*(5.0/9.0), deviceId,NumOfTagsCalculated
| take 5
Logistics
| where deviceId startswith "x"
| summarize count() by deviceId
| render piechart
Logistics
| summarize avg(Temp) by bin(enqueuedTime,1h)
| render timechart
let x=Logistics
| summarize max(Shock) by deviceId
| sort by max_Shock desc
| project deviceId | take 10;
Logistics
| where deviceId in (x)
| summarize avg(Temp) by deviceId, bin(enqueuedTime,10m)
| render timechart
Logistics
| top 1 by Shock desc
| project Shock
Logistics
| where deviceId startswith "x"
| summarize count() by deviceId
| render piechart
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment