在编写KQL(Kusto Query Language)查询时,时间窗口的设置是非常关键的一环,它直接影响到查询结果的准确性和性能。本文将通过一个实际的案例,深入探讨如何在KQL查询中正确处理时间窗口,并解决常见的错误。
案例背景
最近,用户sl0th在尝试查询文件创建和重命名事件时,遇到一个奇怪的错误:“An unexpected error occurred during query execution. Please try again in a few minutes.”。尽管多次重写查询,但问题依然存在。
查询代码
以下是sl0th的原始查询代码:
DeviceFileEvents | where Timestamp > ago(3d) | where ActionType == "FileCreated" or ActionType == "FileRenamed" | where FileName endswith ".exe" | join kind=inner (DeviceProcessEvents) on DeviceId | where Timestamp1 > ago(3d) | where FolderPath == FolderPath1 | where InitiatingProcessFileName1 == "explorer.exe" or InitiatingProcessParentFileName1 == "explorer.exe" | where (Timestamp1 - Timestamp)
