Need to write KQL to check if these 4 documents occur one after the other

    1. 31628 2021-02-13T00:20:49.325893Z - xyz svn/repos open
    2. 31628 2021-02-13T00:20:49.607437Z - xyz svn/repos get-latest
    3. 31628 2021-02-13T00:20:49.888794Z - xyz svn/repos reparent 
    4. 31628 2021-02-13T00:20:50.170101Z - xyz svn/repos stat 

I need to write KQL such that, it should show up document groups like these (i.e., group of 4 documents with open, get-latest, reparent, stat). All 4 must be within one second range as shown in above logs.

Please help me, If this is possible with KQL.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.