Join/loop through KQL query result

Question

Join/loop through KQL query result

RT-7199 516

Below gives me a table of distinct usernames

WVDConnections 
| take 100 
| sort by TimeGenerated asc, CorrelationId 
| distinct  UserName

Below gives me a session duration for a single user, but i have to manually type in the UserName

let Events = WVDConnections | where UserName == "userupn" ;
Events
| where State == "Connected"
| project CorrelationId , UserName, ResourceAlias , StartTime=TimeGenerated
| join (Events
| where State == "Completed"
| project EndTime=TimeGenerated, CorrelationId)
on CorrelationId
| project Duration = EndTime - StartTime, ResourceAlias
| sort by Duration asc

How can I combine both queries to get result for each user. If it was powershell or python, i would loop through the list given by 1srt query. Not sure how to do in KQL

0 comments

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Stanislav Zhelyazkov 29,586 MVP Volunteer Moderator

Hi,

I think something like this would do the work:

let Events = WVDConnections  ;
Events
| where State == "Connected"
| project CorrelationId , UserName, ResourceAlias , StartTime=TimeGenerated
| join (Events
| where State == "Completed"
| project EndTime=TimeGenerated, CorrelationId, UserName)
on CorrelationId, UserName
| project Duration = EndTime - StartTime, ResourceAlias, UserName
| sort by Duration asc

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 comments

Share via

Join/loop through KQL query result

0 additional answers

Your answer