2

I have a Function App that pulls the Azure public key usng a PowerShell script and outputs it into log analytics. I am trying to get notified if the public key updates. At the moment, I am comparing the top two results to see changers.

Does anyone know a query that could compare two message outputs to see if the output value changers? This will be to create an alert and more automation if the public key does change.

Image Example Here

Peter Bons
  • 26,826
  • 4
  • 50
  • 74
Mike Love
  • 21
  • 1

1 Answers1

1

Yes this is possible, for example by using the next() function:

traces
| where message has "OUTPUT"
| top 2 by timestamp desc
| extend different = next(message) != message
| take 1
| where different == true

using next() you can lookup the value of a column of the next row. We can use that to compare with the current value of message.

Peter Bons
  • 26,826
  • 4
  • 50
  • 74
  • 1
    Legend! Thanks heaps for this, looks like it's a working solution. – Mike Love Apr 22 '22 at 07:04
  • @MikeLove feel free to [accept the answer](https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work) if it was of any help to you so other know it has been answered. – Peter Bons May 10 '22 at 09:33