This is the fifth installment of a Series (I don’t know yet how many posts they will be in the end, but I had at least 5 in mind at this point… and as I am writing I realize I won’t be done with this one…) that walks thru the concepts of **Microsoft Azure Operational Insights** Search Syntax – while the full documentation and syntax reference is here, these posts are meant to guide your first steps with practical examples. I’ll start very simple, and build upon each example, so you can get an understanding of practical use cases for how to use the syntax to extract the insights you need from the data.

In my first post I introduced filtering, querying by keyword or by a field’s exact value match, and some Boolean operators.

In the second post I built upon the concepts of the first one, and introduced some more complex flavors of filters that are possible. Now you should know all you need to ** extract** the data set you need.

In the third post I introduced the use of the pipeline symbol “|” and how to shape your results with search commands.

In the fourth post I introduced our most powerful command – **measure** – and used it with just the simplest of the statistical functions: **count()**.

So let’s continue from where we left, and let’s explore some of the other statistical functions you can use with **measure**.

## Measure Max() and Measure Min()

There are various scenarios where these are useful. I will only illustrate Max() and will leave Min() as an exercise for the reader – since it does the exact opposite of the other one.

Let’s start with a simple example. If I query for ‘Advisor’ Configuration Assessment Alerts, they have a ‘Severity’ property which is either 0,1 or 2 (meaning info/warning/critical):

If I want to see what is the HIGHEST value for all of the alerts given a common ‘Computer’ (the ‘group by’ field), I can write

**Type=Alert | Measure Max(Severity) by Computer**

and it will show me that – for the computers that had ‘Alert’ records, most of them have at least a critical one, and the ‘BaconSCOM’ machine has a warning as ‘worst’ severity:

This of course works well with NUMBERs, but it can also work with DateTime fields, i.e. it is very useful to check what is the last/most recent timestamp for any piece of data indexed for each computer, i.e.

When was the most recent configuration change reported by change tracking Intelligence Pack for each machine?

**Type=ConfigurationChange | Measure Max(TimeGenerated) by Computer**

Hope this got you started on measure Max() – now try measure Min().

In the next Installment we’ll look at the AVG (average) statistical function with the measure command – particularly interesting with performance/capacity data!

Stay tuned for that, and happy searching!

Part 6 is posted! blogs.msdn.com/…/azure-operational-insights-search-how-to-part-vi-measure-avg-and-an-exploration-of-type-perfhourly.aspx

7th – blogs.msdn.com/…/azure-operational-insights-search-hot-to-part-vii-measure-sum-and-where-command.aspx

8th – blogs.msdn.com/…/operations-management-suite-log-search-how-to-part-viii-the-in-operator-and-subsearches.aspx