0

我正在编写一个查询,计算用户在过去 30 天内登录了多少台计算机。我需要在过去 30 天内每天计算每个用户登录到不同机器的次数,以便从日志中获得准确的每日平均值,稍后我会将其与阈值进行比较以检测异常。

我的问题是,如果用户 30 天中只有 1 天没有返回日志,而其他 29 天返回,则查询会排除我表中用户的所有结果。我希望能够说类似的话,如果没有结果(isnull?iff?)然后跳过这一天并继续前进,或者能够将表值设置为空白/0,所以当我执行平均时,它只会添加 0平均。

决赛桌应该返回TargetUserNameAvg(每天的总和/30,不包括当天)。

这里的代码显示了所有的测试天数,只有 10 天而不是 30 天来缩短它。

现在它会正确显示在过去 30 天内有日志的用户,但如果用户甚至 1 天都没有日志,他们将被排除在最终结果之外。

let Event=(){SecurityEvent | where EventID == 4624 or EventID==528};
let d1=(){Event | where TimeGenerated between(ago(2d) .. ago(1d))| summarize DT1=dcount(WorkstationName) by TargetUserName};
let d2=(){Event | where TimeGenerated between(ago(3d) .. ago(2d)) | summarize DT2=dcount(WorkstationName) by TargetUserName};
let d3=(){Event | where TimeGenerated between(ago(4d) .. ago(3d)) | summarize DT3=dcount(WorkstationName) by TargetUserName};
let d4=(){Event | where TimeGenerated between(ago(5d) .. ago(4d)) | summarize DT4=dcount(WorkstationName) by TargetUserName};
let d5=(){Event | where TimeGenerated between(ago(6d) .. ago(5d)) | summarize DT5=dcount(WorkstationName) by TargetUserName};
let d6=(){Event | where TimeGenerated between(ago(7d) .. ago(6d)) | summarize DT6=dcount(WorkstationName) by TargetUserName};
let d7=(){Event | where TimeGenerated between(ago(8d) .. ago(7d)) | summarize DT7=dcount(WorkstationName) by TargetUserName};
let d8=(){Event | where TimeGenerated between(ago(9d) .. ago(8d)) | summarize DT8=dcount(WorkstationName) by TargetUserName};
let d9=(){Event | where TimeGenerated between(ago(10d) .. ago(9d)) | summarize DT9=dcount(WorkstationName) by TargetUserName};
let d10=(){Event | where TimeGenerated between(ago(11d) .. ago(10d)) | summarize DT10=dcount(WorkstationName) by TargetUserName};
d1 | join (d2) on TargetUserName | join (d3) on TargetUserName | join (d4) on TargetUserName | join (d5) on TargetUserName | join (d6) on TargetUserName | join (d7) on TargetUserName | join (d8) on TargetUserName | join (d9) on TargetUserName | join (d10) on TargetUserName | extend Avg = ((DT1+DT2+DT3+DT4+DT5+DT6+DT7+DT8+DT9+DT10)/10) | summarize by TargetUserName, Avg, DT1, DT2, DT3, DT4, DT5, DT6, DT7, DT8, DT9, DT10
4

1 回答 1

0

尝试使用连接类型 = 外部。

这样,当没有匹配项时,您仍然会从其他日子获得行。

于 2019-12-13T19:21:14.577 回答