'Fetch Last Login Details using Summarize by Time Stamp in KQL
I am trying to get last login details of user in Kusto database using KQL query language. However I am not getting exact result with below query.
GlobalID - Unique GUID Value which will be created every time user logged in
UserId - Logged in UserId value
LastSuccessFullLoginTimeStamp - Max Timestamp value
//Fetch Last Logged in userID details
let window = 2h;
Events
| where Timestamp >= ago(window)
| extend UserId = tostring(Properties.UserId)
| where UserId in ('12345','56789','24680')
//| summarize LastSuccessFullLoginTimeStamp = max(Timestamp), count() by
GlobalId,UserId
|project GlobalID,UserId,TimeStamp
But I am failed to get output as like below from above sample data. Fetch latest GlobalID based on userId and last logged in time. Where I am doing wrong? I tried with summarize, make_set but in vain.
Solution 1:[1]
You should use the arg_max() function:
let window = 2h;
Events
| where Timestamp >= ago(window)
| extend UserId = tostring(Properties.UserId)
| where UserId in ('12345','56789','24680')
| summarize arg_max(Timestamp, *) by UserId
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Avnera |