Contribute in GitHub:
Edit online
lookup()
Lookup performs a lookup of a value in a Dimension table, or a dictionary. Use Lookup functionality with the events_all view.
Syntax
lookup(DimensionTable, ReturnColumn, LookupValue)
Arguments
- DimensionTable: The name of the Dimension table to lookup a value
- ReturnColumn: The column in the Dimension table to return
- LookupValue: The value, or the key used to lookup the return value
Returns
A single scalar value
events_all
| project original_time, data_source_type_id,
data_source_type_name=lookup(datasources, 'data_source_name', data_source_id)
| where original_time > ago(5m)
| where isnotempty(data_source_type_name)
| summarize EventCount=count() by DataSourceTypeName=data_source_type_name
Results
| DataSourceTypeName | EventCount |
|---|---|
| Microsoft Windows Security Event Log | 220545555 |
| SentinelOne ActiveEDR | 18937016 |