上QQ阅读APP看书,第一时间看更新
Working with multiple dimensions
Using multiple dimensions, you can use expressions in the by clause to create multiple visualization rows, one for each combination of values:
- In the new query field in the Analytics portal, type the following query into the search field:
SecurityEvent
| where TimeGenerated > ago(1d)
| summarize count() by tostring(EventID), AccountType,
bin(TimeGenerated, 1h)
- Click the Go button
in the upper right-hand corner of your screen to return a distribution of your data over the last day. By default, the results are displayed in a table.
- In the results pane, click Chart to view a multidimensional depiction of the data with various value combinations.
The query casts the EventID to a string because dimensions must be of the string type.
Figure 2.20
The query returns data that is segmented by two dimensions, and you can use the controls in the results pane to switch between the dimensions and visualize the data based on another dimension.
- In the results pane, click TimeGenerated and select AccountType to see the data according to the Account type:
Figure 2.21
- Click AccountType and select TimeGenerated to revert to the previous view. Click EventID and select AccountType to switch to the other dimension of the data segmentation:
Figure 2.22