🌴
The Amazing KQL
  • The Amazing KQL
  • 💠KQL Quick Guide
    • Useful Resources 🔦
    • My favorites 😍
      • search
      • take
      • where
      • summarize
        • arg_max()
        • count, countif
        • dcount, dcountif
        • take_any
      • distinct
      • case
      • project
        • project-reorder
        • project-away
        • project-rename
        • project-keep
      • sort by
      • extend
      • extract
        • extract_all
      • parse
      • stract
      • count
        • countif
      • mv-expand
      • dcount
        • dcountif
      • Create table
      • let
      • join
      • union
      • materialize
    • Need to practice more 🎯
      • toscalar
      • range
      • make-series
      • series_outliers
      • set_differenc
      • pack
      • summarize
        • make_bag
        • make_set, make_list
      • evaluate
        • pivot
        • bag_unpack
        • pack_all
      • mv-expand
      • set_difference
      • render
    • Need to learn later 🐢
      • scan
      • ExtractParseParse-kv-Tabular
      • decode
      • mv-apply
      • prev and next
      • row_cumsum
      • any
      • top-nested
      • Time Series
        • series_stats
        • series_fir
        • series_iir
        • series_fit_line
        • series_fit_2lines
      • Machine Learning
        • basket
        • autocluster
        • diffpatterns
        • reduce
  • 💻Microsoft Endpoint Manager
    • Device Inventory
      • Device OS version
      • Same AAD Device ID and Intune Device ID
Powered by GitBook
On this page
  • 📲 Example: calculate Intune device free storage percentage, and convert storage from MB to GB
  • 📲 Example: Get user sign-in details, extend information from device details
  1. KQL Quick Guide
  2. My favorites 😍

extend

Previoussort byNextextract

Last updated 2 years ago

extend allow us to build calculated columns of our query results and append them to the result set. You can also extend custom text as well

📲 Example: calculate Intune device free storage percentage, and convert storage from MB to GB

IntuneDevices
| where TimeGenerated > ago (30d) 
    and OS == 'Windows'
    and isnotempty(SerialNumber)
    and todatetime(LastContact) > ago(60d) //We need to convert LastContact to date time format
| summarize arg_max(TimeGenerated, *) by SerialNumber
| extend StorageTotalGB = round(todouble(StorageTotal)/1024, 3)
        ,StorageFreeGB = StorageFree /1024
        ,['Free Percentage'] = toreal(StorageFree) / toreal(StorageTotal) * 100
| project-reorder TimeGenerated, DeviceName, StorageTotalGB, StorageFreeGB, ['Free Percentage']

📲 Example: Get user sign-in details, extend information from device details

SigninLogs
| where TimeGenerated > ago (7d)
| extend OperatingSystem = tostring(DeviceDetail.operatingSystem)
| extend DeviceId = tostring(DeviceDetail.deviceId)
| extend Browser = tostring(DeviceDetail.browser)
| distinct UserPrincipalName, UserDisplayName, OperatingSystem, Browser, DeviceId, AppDisplayName
💠