Home > OS >  Fetch Last Login Details using Summarize by Time Stamp in KQL
Fetch Last Login Details using Summarize by Time Stamp in KQL

Time:03-15

I am trying to get last login details of user in Kusto database using KQL query language. However I am not getting exact result with below query.

GlobalID - Unique GUID Value which will be created every time user logged in

UserId - Logged in UserId value

LastSuccessFullLoginTimeStamp - Max Timestamp value

 //Fetch Last Logged in userID details
 let window = 2h;
 Events
 | where Timestamp >= ago(window)
 | extend UserId = tostring(Properties.UserId)
 | where UserId in ('12345','56789','24680')
 //| summarize LastSuccessFullLoginTimeStamp = max(Timestamp), count() by 
  GlobalId,UserId
  |project GlobalID,UserId,TimeStamp

enter image description here

But I am failed to get output as like below from above sample data. Fetch latest GlobalID based on userId and last logged in time. Where I am doing wrong? I tried with summarize, make_set but in vain.

enter image description here

CodePudding user response:

You should use the arg_max() function:

 let window = 2h;
 Events
 | where Timestamp >= ago(window)
 | extend UserId = tostring(Properties.UserId)
 | where UserId in ('12345','56789','24680')
 | summarize arg_max(Timestamp, *) by UserId

Page link:https//www.codepudding.com/os/335782.html

Prev:Node Red container and serial port of MacOs
Next:Why the gzipped file uploaded to the azure blob container with a custom file extension is being down
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding