12 Oct 2023 02:46 PM - edited 12 Oct 2023 06:54 PM
Solved! Go to Solution.
12 Oct 2023 05:17 PM
This query should work.
and please check out following youtube video where I explain how the last part of the query is crafted: https://www.youtube.com/watch?v=Lgv5rxlEJ0Q
12 Oct 2023 06:55 PM
Here is what the query looked like as a final solution:
fetch logs, scanLimitGBytes: -1
| filter matchesPhrase(content,"*********") OR matchesPhrase(content,"**********")
| filter matchesPhrase(content,"*ACCESS")
| parse content, "*************-'"
| filter channel != "null" | summarize count=count(),by:{channel}
| summarize array = collectArray(record(channel=channel, count=count)), count = collectArray(count)
| fieldsAdd count_max = arrayMax(count)
| expand array
| fields `Channel` = array[channel], `count`=array[count], isLive = if(array[count] == count_max, "🔴")