1

下面的代码给出了错误:发生了识别错误

let vips = datatable (name: string)
['xxxx',
 'yyyy',
 'zzzz',
 'gggg'];
DeviceLogonEvents  
| where AccountName  in~ (vips)
| summarize by DeviceName
| summarize vippc = make_list(DeviceName)
DeviceAlertEvents
| where DeviceName in (vippc)

有什么建议我可以在 DeviceName 列的 DeviceAlertEvents 中搜索列表 vippc 中的项目吗?

4

1 回答 1

1

你可以试试这个:

let vips = datatable(name: string)
[
 'xxxx',
 'yyyy',
 'zzzz',
 'gggg'
]
;
let vippc = 
   DeviceLogonEvents  
   | where AccountName  in~ (vips)
   | distinct DeviceName
;
DeviceAlertEvents
| where DeviceName in (vippc)
于 2021-01-02T00:25:10.647 回答