Share via

How to properly visualize count of Event IDs per day?

Chris Parker 21 Reputation points
2022-08-03T17:25:07.22+00:00

I can get the result I'm looking for when it's in table form but looks very wrong when I switch to the Chart view. Rather than trying to explain things here, I'll share a screenshot. I'm expecting to see how many of each Event ID occurred per day. What I'm seeing is very different.

p.s. The tag below is not relevant because there's no tag that is appropriate.

227759-2022-08-03-10-07-27-microsoft-sentinel-microsoft-a.png

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,647 questions
0 comments
Accepted answer
  1. Maxim Sergeev 6,586 Reputation points Microsoft Employee
    2022-08-05T04:50:20.977+00:00

    You need to use totring()

    Event
    | where TimeGenerated >= ago(7d)
    | summarize count() by bin (TimeGenerated, 1d), tostring(EventID)
    | render columnchart

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Chris Parker 21 Reputation points
    2022-08-05T01:21:11.177+00:00

    The answer is the following:

    SecurityEvent
    | project TimeGenerated, EventID=tostring(EventID)
    | where TimeGenerated >= ago(7d)
    | summarize Count=count() by EventID, bin(TimeGenerated, 6h)

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.