I want to combine two "identical" KQL-Queries into one query.
StorageBlobLogs
| where Uri startswith "sftp://mystrgsftp.blob.core.windows.net/gisa/"
and OperationName == "SftpWrite"
and RequesterObjectId == "gisa"
and TimeGenerated between (startofday(now(),0) .. datetime(now))
| count as Count_Gisa;
StorageBlobLogs
| where Uri startswith "sftp://mystrgsftp.blob.core.windows.net/gisa/"
and OperationName == "SftpWrite"
and RequesterObjectId == "BIS"
and TimeGenerated between (startofday(now(),0) .. datetime(now))
| count as Count_BIS;
As result I would like to have:
134 | 245
I tried to use this approach, but it wont work for me: Using KQL 'let' to combine two queries in the same table
Here's the updated KQL:
StorageBlobLogs
| where Uri startswith "sftp://mystrgsftp.blob.core.windows.net/gisa/"
and OperationName == "SftpWrite"
and TimeGenerated between (startofday(now(),0) .. datetime(now))
and RequesterObjectId in ("gisa", "BIS")
| summarize Count_Gisa = sum(toint(RequesterObjectId == "gisa")),
Count_BIS = sum(toint(RequesterObjectId == "BIS"))
by bin(TimeGenerated, 1d)
PS: If you don't need daily aggregation you can remove the last line.