Azure log analytics query to display computers if event count bigger than X

Question

I have past few hours trying to build query that shows/list computers which have generated over 10 events of specific id's. E.g query list all computers that has occurred event 2222 but I would want to have query that would list computers only if it has reported e.g over 10 events of same id in past 48 hours. If none computer has reported over 10 events of specific id, then result is just empty.

Event | where Source contains "service" | where EventID == 2222

Another example which display results computers that has occurred event 2222 and how many times, but still missing that displaying results if count is bigger than 10.

 Event
    | where Source contains "service"  | where EventID == 2222 
    | summarize count() by  Computer

Logic behind this would be to create some kinda alert. A single event is not alone important but if it occurs more then it start to matter. Any tips?

Answer 1

Good job for this. But we usually give it a meaningful name instead of the auto-generated name like count_.

You can add a meaningful name in the summarize sentence like summarize TotalCount=count() by Computer.

The full query like below:

Event
    | where Source contains "service"  | where EventID == 2222 
    | summarize TotalCount=count() by  Computer
    | where TotalCount > 10

The result:

Answer 2

Got it finally working by this:

Event
    | where Source contains "service"  | where EventID == 2222 
    | summarize count() by  Computer
    | where count_ > 10