AdamC
Reputation: 23
How to use Kusto to return a max() row from a table, while showing other columns not used in the max grouping
Given the following Log analytics KQL query :
SigninLogs
| where ResultType == 0
| summarize max(TimeGenerated) by UserPrincipalName
I need to display other columns from those selected rows in the SigninLogs table. I've tried different approaches with no success. Joining back to the same table again seems unfeasible as joins appear to only be available using a single column. Other approaches using in failed because the needed columns weren't available in the above source query.
Upvotes: 2
Views: 5085
Answers (1)
Yoni L.
Reputation: 26005
You can use the arg_max() aggregation function: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/arg-max-aggfunction
Upvotes: 2
Related Questions
- How to summarize data with arg_max() in KQL using two columns?
- How to get the latest row per value?
- Kusto, retrieving all the rows with maximum values
- Kusto/KQL: How to get summary of max values of a single column from multiple tables
- Find max from first row to current row in Kusto (Timeseries)
- Get Other columns based on max of one column in Kusto
- How to use max(timestamp) with summarize when using other aggregated columns (count()) in kusto (kql)?
- Get Max of date column without using summarise in Kusto
- Kusto query to get the latest column value which is not empty (for each column)
- Kusto query max x by y