Some excellent data is available to be queried via Kusto using AzureDiagnostics. For example, the ResultDescription field has almost all of the relevant information, but it’s in a format that needs to be parsed to grab specific fields from the column. Below is a sample query to parse the particular fields within this column. We start by identifying the records we need to split out (in our case, those that begin with “Computer”). And then, we project the two required fields (TimeGenerated and ResultDescription). Then we do a parse for the specific pieces of the column that we need to break out.

AzureDiagnostics

| where Category == “JobStreams” and ResultDescription startswith “Computer”

| sort by TimeGenerated

| project TimeGenerated, ResultDescription

| parse-where ResultDescription with * “Computer    :” Computer “\n” *

| parse-where ResultDescription with * “Category    :” Category “\n” *

| parse-where ResultDescription with * “TestGroup   :” TestGroup “\n” *

| parse-where ResultDescription with * “TestName    :” TestName “\n” *

| parse-where ResultDescription with * “Status      :” Status “\n” *

| parse-where ResultDescription with * “Description :” Description “\n” *

| parse-where ResultDescription with * “Message     :” Message “\n” *

| parse-where ResultDescription with * “RunTime     :” RunTime “\n” *

| project TimeGenerated,Computer,Category,TestGroup,TestName,Status,Message,Description,RunTime

Summary: If you need to go through a field that contains multiple values, try out the parse-where functionality! I owe a huge thank you to David Stein who wrote this query. You rock dude!