I am using Windows Update for Business to pull in InTune data to track patching for my org. This data is stored in a Log Analytics Workspace and can be queried using KQL.
I am trying to write a specific KQL query that shows two categories with nested dropdowns.
Ideal Format for output of this query
The current query I have built is:
let _SnapshotTime = datetime(2023-01-18T06:00:00Z);
UCClientUpdateStatus
| where TimeGenerated == _SnapshotTime
| join (UCClient | where TimeGenerated == _SnapshotTime) on DeviceName
| summarize arg_max(TimeGenerated, *) by OSSecurityUpdateStatus, TargetKBNumber, DeviceName
This returns too much data and is not quite structured the way I'm looking for. Has anyone here had any luck with creating a KQL query that returns Intune patching data status in a format similar to above?
