Change query in Driver's workbook to filter out Cancelled policies (#…

…2855) * Change query in Driver's workbook to filter out Cancelled policies * Don't show service state in table * Change all query instances to filter out cancelled policies
microsoft · Dec 6, 2024 · c0737fe · c0737fe
1 parent 71be61d
commit c0737fe
Showing 1 changed file with 8 additions and 8 deletions.
diff --git a/Workbooks/UpdateCompliance/Driver updates/Driver updates.workbook b/Workbooks/UpdateCompliance/Driver updates/Driver updates.workbook
@@ -102,7 +102,7 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "// intialitze filters\r\nlet _SnapshotTime = datetime({_SnapshotTime});\r\n// Prepare the subtables\r\nlet UCServiceUpdateStatus_Info = UCServiceUpdateStatus | where TimeGenerated == _SnapshotTime;                               \r\nlet UCClient_Info = UCClient | where TimeGenerated == _SnapshotTime;\r\n\r\nUCServiceUpdateStatus_Info\r\n| join kind=innerunique UCClient_Info on AzureADDeviceId\r\n| where UpdateCategory == \"DriverUpdate\"\r\n| extend DevicesCount = \"Devices count\"\r\n| extend ViewDetails = \"View details\"\r\n| summarize TotalDevices=count() by DevicesCount, ViewDetails",
+        "query": "// intialitze filters\r\nlet _SnapshotTime = datetime({_SnapshotTime});\r\n// Prepare the subtables\r\nlet UCServiceUpdateStatus_Info = UCServiceUpdateStatus | where TimeGenerated == _SnapshotTime;                               \r\nlet UCClient_Info = UCClient | where TimeGenerated == _SnapshotTime;\r\n\r\nUCServiceUpdateStatus_Info\r\n| join kind=innerunique UCClient_Info on AzureADDeviceId\r\n| where UpdateCategory == \"DriverUpdate\"\r\n| where ServiceState != \"Cancelled\"\r\n| extend DevicesCount = \"Devices count\"\r\n| extend ViewDetails = \"View details\"\r\n| summarize TotalDevices=count() by DevicesCount, ViewDetails",
         "size": 3,
         "title": "Devices taking driver updates",
         "noDataMessage": "No devices",
@@ -217,7 +217,7 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "let _SnapshotTime = datetime({_SnapshotTime});\r\nUCServiceUpdateStatus\r\n| where TimeGenerated == _SnapshotTime\r\n| where UpdateCategory == \"DriverUpdate\"\r\n| summarize by CatalogId\r\n| extend Subtitle = \"Number of updates approved\"\r\n| extend Title = \"Approved updates\"\r\n| extend ViewDetails = \"View details\"\r\n| summarize count() by Title, Subtitle, ViewDetails;\r\n",
+        "query": "let _SnapshotTime = datetime({_SnapshotTime});\r\nUCServiceUpdateStatus\r\n| where TimeGenerated == _SnapshotTime\r\n| where UpdateCategory == \"DriverUpdate\"\r\n| where ServiceState != \"Cancelled\"\r\n| summarize by CatalogId\r\n| extend Subtitle = \"Number of updates approved\"\r\n| extend Title = \"Approved updates\"\r\n| extend ViewDetails = \"View details\"\r\n| summarize count() by Title, Subtitle, ViewDetails;\r\n",
         "size": 3,
         "title": "Approved updates",
         "noDataMessage": "No approved updates",
@@ -333,7 +333,7 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "let _SnapshotTime = datetime({_SnapshotTime});\r\nUCServiceUpdateStatus\r\n| where TimeGenerated == _SnapshotTime\r\n| where UpdateCategory == \"DriverUpdate\"\r\n| summarize by PolicyId\r\n| extend Subtitle = \"Number of policies created\"\r\n| extend Title = \"Total policies\"\r\n| extend ViewDetails = \"View details\"\r\n| summarize count() by Title, Subtitle, ViewDetails;",
+        "query": "let _SnapshotTime = datetime({_SnapshotTime});\r\nUCServiceUpdateStatus\r\n| where TimeGenerated == _SnapshotTime\r\n| where UpdateCategory == \"DriverUpdate\"\r\n| where ServiceState != \"Cancelled\"\r\n| summarize by PolicyId\r\n| extend Subtitle = \"Number of policies created\"\r\n| extend Title = \"Total policies\"\r\n| extend ViewDetails = \"View details\"\r\n| summarize count() by Title, Subtitle, ViewDetails;",
         "size": 3,
         "title": "Total policies",
         "noDataMessage": "No policies",
@@ -427,7 +427,7 @@
                   {
                     "name": "DataQuery",
                     "source": "static",
-                    "value": "let _SnapshotTime = datetime({_SnapshotTime}); UCServiceUpdateStatus | where TimeGenerated == _SnapshotTime | where UpdateCategory == \"DriverUpdate\" | summarize TotalDevices = dcount(AzureADDeviceId) by PolicyId | project PolicyId, TotalDevices"
+                    "value": "let _SnapshotTime = datetime({_SnapshotTime}); UCServiceUpdateStatus | where TimeGenerated == _SnapshotTime | where UpdateCategory == \"DriverUpdate\" | where ServiceState != \"Cancelled\" | summarize TotalDevices = dcount(AzureADDeviceId) by PolicyId, ServiceState | project PolicyId, TotalDevices, ServiceState"
                   },
                   {
                     "name": "_SnapshotTime",
@@ -655,7 +655,7 @@
             "type": 3,
             "content": {
               "version": "KqlItem/1.0",
-              "query": "let _SnapshotTime = datetime({_SnapshotTime});\r\nUCServiceUpdateStatus\r\n| where TimeGenerated == _SnapshotTime\r\n| where UpdateCategory == \"DriverUpdate\"\r\n| distinct  CatalogId, UpdateClassification\r\n| summarize  count() by UpdateClassification\r\n",
+              "query": "let _SnapshotTime = datetime({_SnapshotTime});\r\nUCServiceUpdateStatus\r\n| where TimeGenerated == _SnapshotTime\r\n| where UpdateCategory == \"DriverUpdate\"\r\n| where ServiceState != \"Cancelled\"\r\n| distinct  CatalogId, UpdateClassification\r\n| summarize  count() by UpdateClassification\r\n",
               "size": 3,
               "showAnalytics": true,
               "title": "Distribution of Driver Classes",
@@ -1037,7 +1037,7 @@
             "type": 3,
             "content": {
               "version": "KqlItem/1.0",
-              "query": "let _SnapshotTime = datetime({_SnapshotTime});\r\nlet _PolicyId = \"{PolicyId1}\";\r\nlet _UpdateManufacturer = \"{UpdateManufacturer1}\";\r\nlet _UpdateClassification = \"{UpdateClassification1}\";\r\nlet _ServiceState = \"{ServiceState1}\";\r\nlet _ClientState = \"{ClientState1}\";\r\n\r\n// Prepare the subtables\r\nlet UCServiceUpdateStatus_Info = UCServiceUpdateStatus | where TimeGenerated == _SnapshotTime and UpdateCategory == \"DriverUpdate\";                               \r\nlet UCUpdateAlert_Info = UCUpdateAlert | where TimeGenerated == _SnapshotTime and UpdateCategory == \"DriverUpdate\" and AlertStatus == \"Active\";\r\nlet UCClientUpdateStatus_Info = UCClientUpdateStatus | where TimeGenerated == _SnapshotTime and UpdateCategory == \"DriverUpdate\";\r\nlet UCServiceClientUpdateStatus = UCServiceUpdateStatus_Info | join kind=leftouter (UCClientUpdateStatus_Info) on  AzureADDeviceId, CatalogId; \r\nlet UCDriverAlertsWithPolicyId = UCServiceUpdateStatus_Info | join kind=inner(UCUpdateAlert_Info) on  AzureADDeviceId, CatalogId;\r\n\r\n// Business logic\r\nlet AggregateDeviceCounts = UCServiceClientUpdateStatus \r\n|where iff(_PolicyId has \"ALL\", true, _PolicyId has tostring(PolicyId))\r\n|where iff(_UpdateManufacturer has \"ALL\", true, _UpdateManufacturer has tostring(UpdateManufacturer))\r\n|where iff(_UpdateClassification has \"ALL\", true, _UpdateClassification has tostring(UpdateClassification))\r\n|where iff(_ServiceState has \"ALL\", true, _ServiceState has tostring(ServiceState))\r\n|where iff(_ClientState has \"ALL\", true, _ClientState has tostring(ClientState))\r\n| summarize \r\n    TotalDevices=dcount(AzureADDeviceId),\r\n    InstalledCount=dcountif(AzureADDeviceId, ClientState == \"Installed\") by PolicyId, CatalogId, UpdateClassification, UpdateDisplayName, DeploymentApprovedTime, UpdateManufacturer, ServiceState, ServiceSubstate, ClientState, ClientSubstate\r\n| extend TotalProgress=round((InstalledCount * 1.0/ TotalDevices) * 100, 1);\r\n\r\nlet AggregateAlertSubTypeCount = UCDriverAlertsWithPolicyId \r\n| summarize Alerts=dcount(ErrorCode) by PolicyId, CatalogId, DeploymentId,UpdateManufacturer, UpdateCategory, UpdateClassification, ServiceState, ServiceSubstate;\r\n\r\n// join for final output\r\nAggregateDeviceCounts\r\n| join kind=leftouter (AggregateAlertSubTypeCount) on PolicyId,CatalogId\r\n| summarize by PolicyId, CatalogId, DeploymentId,UpdateDisplayName, DeploymentApprovedTime, UpdateManufacturer, UpdateClassification, TotalProgress, Alerts, TotalDevices, UpdateCategory, ServiceState, ServiceSubstate, ClientState, ClientSubstate\r\n| project-reorder PolicyId, CatalogId, DeploymentId, UpdateDisplayName, DeploymentApprovedTime, UpdateManufacturer, UpdateClassification, ServiceState, ServiceSubstate, ClientState, ClientSubstate, TotalProgress, Alerts, TotalDevices",
+              "query": "let _SnapshotTime = datetime({_SnapshotTime});\r\nlet _PolicyId = \"{PolicyId1}\";\r\nlet _UpdateManufacturer = \"{UpdateManufacturer1}\";\r\nlet _UpdateClassification = \"{UpdateClassification1}\";\r\nlet _ServiceState = \"{ServiceState1}\";\r\nlet _ClientState = \"{ClientState1}\";\r\n\r\n// Prepare the subtables\r\nlet UCServiceUpdateStatus_Info = UCServiceUpdateStatus | where TimeGenerated == _SnapshotTime and UpdateCategory == \"DriverUpdate\" and ServiceState != \"Cancelled\";                               \r\nlet UCUpdateAlert_Info = UCUpdateAlert | where TimeGenerated == _SnapshotTime and UpdateCategory == \"DriverUpdate\" and AlertStatus == \"Active\";\r\nlet UCClientUpdateStatus_Info = UCClientUpdateStatus | where TimeGenerated == _SnapshotTime and UpdateCategory == \"DriverUpdate\";\r\nlet UCServiceClientUpdateStatus = UCServiceUpdateStatus_Info | join kind=leftouter (UCClientUpdateStatus_Info) on  AzureADDeviceId, CatalogId; \r\nlet UCDriverAlertsWithPolicyId = UCServiceUpdateStatus_Info | join kind=inner(UCUpdateAlert_Info) on  AzureADDeviceId, CatalogId;\r\n\r\n// Business logic\r\nlet AggregateDeviceCounts = UCServiceClientUpdateStatus \r\n|where iff(_PolicyId has \"ALL\", true, _PolicyId has tostring(PolicyId))\r\n|where iff(_UpdateManufacturer has \"ALL\", true, _UpdateManufacturer has tostring(UpdateManufacturer))\r\n|where iff(_UpdateClassification has \"ALL\", true, _UpdateClassification has tostring(UpdateClassification))\r\n|where iff(_ServiceState has \"ALL\", true, _ServiceState has tostring(ServiceState))\r\n|where iff(_ClientState has \"ALL\", true, _ClientState has tostring(ClientState))\r\n| summarize \r\n    TotalDevices=dcount(AzureADDeviceId),\r\n    InstalledCount=dcountif(AzureADDeviceId, ClientState == \"Installed\") by PolicyId, CatalogId, UpdateClassification, UpdateDisplayName, DeploymentApprovedTime, UpdateManufacturer, ServiceState, ServiceSubstate, ClientState, ClientSubstate\r\n| extend TotalProgress=round((InstalledCount * 1.0/ TotalDevices) * 100, 1);\r\n\r\nlet AggregateAlertSubTypeCount = UCDriverAlertsWithPolicyId \r\n| summarize Alerts=dcount(ErrorCode) by PolicyId, CatalogId, DeploymentId,UpdateManufacturer, UpdateCategory, UpdateClassification, ServiceState, ServiceSubstate;\r\n\r\n// join for final output\r\nAggregateDeviceCounts\r\n| join kind=leftouter (AggregateAlertSubTypeCount) on PolicyId,CatalogId\r\n| summarize by PolicyId, CatalogId, DeploymentId,UpdateDisplayName, DeploymentApprovedTime, UpdateManufacturer, UpdateClassification, TotalProgress, Alerts, TotalDevices, UpdateCategory, ServiceState, ServiceSubstate, ClientState, ClientSubstate\r\n| project-reorder PolicyId, CatalogId, DeploymentId, UpdateDisplayName, DeploymentApprovedTime, UpdateManufacturer, UpdateClassification, ServiceState, ServiceSubstate, ClientState, ClientSubstate, TotalProgress, Alerts, TotalDevices",
               "size": 0,
               "showAnalytics": true,
               "noDataMessage": "No devices",
@@ -1438,8 +1438,8 @@
               "query": "let _SnapshotTime = datetime({_SnapshotTime});\r\nUCDeviceAlert\r\n| join kind=innerunique UCClientUpdateStatus on AzureADDeviceId, TimeGenerated\r\n| where TimeGenerated == _SnapshotTime\r\n| where UpdateCategory == \"DriverUpdate\"\r\n| where AlertStatus == \"Active\"\r\n| summarize count() by AlertClassification",
               "size": 3,
               "showAnalytics": true,
-              "noDataMessage": "No alerts",
               "title": "Device alerts",
+              "noDataMessage": "No alerts",
               "showExportToExcel": true,
               "queryType": 0,
               "resourceType": "microsoft.operationalinsights/workspaces",
@@ -1473,7 +1473,7 @@
             "type": 3,
             "content": {
               "version": "KqlItem/1.0",
-              "query": "\r\nlet _SnapshotTime = datetime({_SnapshotTime});\r\n\r\n// Prepare the subtables\r\nlet UCServiceUpdateStatus_Info =  UCServiceUpdateStatus | where TimeGenerated == _SnapshotTime and UpdateCategory == \"DriverUpdate\" ; \r\nlet UCClient_Info = UCClient | where TimeGenerated == _SnapshotTime; \r\nlet UCClientUpdateStatus_Info = UCClientUpdateStatus | where TimeGenerated == _SnapshotTime and UpdateCategory == \"DriverUpdate\";\r\nlet UCUpdateAlert_Info = UCUpdateAlert | where TimeGenerated == _SnapshotTime and UpdateCategory == \"DriverUpdate\"| where AlertStatus == \"Active\";   \r\n\r\nlet UCServiceUpdateStatus2_Info = UCServiceUpdateStatus_Info | join kind=leftouter (UCClient_Info) on  AzureADDeviceId;\r\nlet UCServiceClientUpdateStatus = UCServiceUpdateStatus2_Info | join kind=leftouter (UCClientUpdateStatus_Info) on  AzureADDeviceId, CatalogId; \r\n\r\nlet AlertsCount = UCUpdateAlert_Info| summarize Alerts =count() by  AzureADDeviceId, CatalogId; \r\n\r\nlet UCServiceClientUpdateStatus_alertCount = UCServiceClientUpdateStatus |  join kind=leftouter (AlertsCount) on  AzureADDeviceId, CatalogId; \r\n\r\n\r\nUCServiceClientUpdateStatus_alertCount\r\n|distinct DeviceName, AzureADDeviceId, CatalogId, UpdateDisplayName, DeploymentApprovedTime , OfferReadyTime, ServiceState, ClientState, Alerts\r\n| project DeviceName, AzureADDeviceId, CatalogId, UpdateDisplayName, DeploymentApprovedTime, OfferReadyTime, ServiceState, ClientState, Alerts",
+              "query": "\r\nlet _SnapshotTime = datetime({_SnapshotTime});\r\n\r\n// Prepare the subtables\r\nlet UCServiceUpdateStatus_Info =  UCServiceUpdateStatus | where TimeGenerated == _SnapshotTime and UpdateCategory == \"DriverUpdate\" and ServiceState != \"Cancelled\"; \r\nlet UCClient_Info = UCClient | where TimeGenerated == _SnapshotTime; \r\nlet UCClientUpdateStatus_Info = UCClientUpdateStatus | where TimeGenerated == _SnapshotTime and UpdateCategory == \"DriverUpdate\";\r\nlet UCUpdateAlert_Info = UCUpdateAlert | where TimeGenerated == _SnapshotTime and UpdateCategory == \"DriverUpdate\"| where AlertStatus == \"Active\";   \r\n\r\nlet UCServiceUpdateStatus2_Info = UCServiceUpdateStatus_Info | join kind=leftouter (UCClient_Info) on  AzureADDeviceId;\r\nlet UCServiceClientUpdateStatus = UCServiceUpdateStatus2_Info | join kind=leftouter (UCClientUpdateStatus_Info) on  AzureADDeviceId, CatalogId; \r\n\r\nlet AlertsCount = UCUpdateAlert_Info| summarize Alerts =count() by  AzureADDeviceId, CatalogId; \r\n\r\nlet UCServiceClientUpdateStatus_alertCount = UCServiceClientUpdateStatus |  join kind=leftouter (AlertsCount) on  AzureADDeviceId, CatalogId; \r\n\r\n\r\nUCServiceClientUpdateStatus_alertCount\r\n|distinct DeviceName, AzureADDeviceId, CatalogId, UpdateDisplayName, DeploymentApprovedTime , OfferReadyTime, ServiceState, ClientState, Alerts\r\n| project DeviceName, AzureADDeviceId, CatalogId, UpdateDisplayName, DeploymentApprovedTime, OfferReadyTime, ServiceState, ClientState, Alerts",
               "size": 0,
               "showAnalytics": true,
               "title": "Device compliance status",