Connecting the dots: Solving IT asset visibility with Dataprime

In large tech organizations, keeping track of every laptop, desktop, and endpoint is one of the IT department’s toughest challenges. Each device needs to be accounted for, properly assigned, and compliant with the organization’s policies, all while teams, offices, and contractors constantly change.

Their goal is simple enough: know who’s using what, make sure it’s secure, and catch anything slipping through the cracks. But in practice, asset visibility gets messy fast. Devices are provisioned, reassigned, and retired almost daily. Contractors come and go. Logs pour in from Windows, macOS, and cloud systems, each speaking a slightly different dialect. And when things get messy, they also get risky. A single unmonitored device can quietly drift out of compliance or open a hole in your security posture.

One global enterprise faced this exact problem: an unconventional observability challenge that pushed their current tools to the limit. When they turned to DataPrime, Coralogix’s versatile query and data transformation language, they found that the framework used to solve log challenges in other teams could just as easily handle IT asset visibility. 

The Challenge: Inconsistent Device Logs, No Unified View

In this case, an observability challenge came from an unexpected direction: IT device visibility. The IT operations team wanted a simple answer: How many devices are active and compliant, and which ones need attention?

But the data was scattered. 

• Device logs from Microsoft Intune (Windows) and Kandji (macOS) arrived in inconsistent formats, with missing fields and mismatched names. 
• Even the same field (like device_id) was sometimes named or formatted inconsistently. 
• Compliance logic wasn’t encoded anywhere, leaving IT teams to hunt for violations manually.
• Long-term storage was either too costly or incomplete, making historical trends impossible to track.

For IT teams, this situation is familiar. Two problems tend to collide here: inconsistent data structures and a tangle of disconnected tools. When teams have to juggle multiple systems just to get a basic answer, tracking compliance or ownership becomes a slog.

However, these problems are not unique to IT. Data fragmentation hits every domain, from tracing microservices to analyzing user events. That’s what makes this challenge so universal.

Why This Problem Persists

Even sophisticated observability stacks struggle with IT asset visibility. The problem isn’t the data itself; it’s how most tools are built.

Device telemetry is noisy, unstructured, and ever-changing. But traditional observability platforms expect neat, predictable schemas. When the real world refuses to play by those rules, things break.

• Rigid schemas: Any structural difference in log formats can break dashboards and alerts.
• Search-only tools: Without real data shaping (joins, transforms, enrichments), users can’t build the logic they need.
• Index-based pricing: Makes long-term data storage prohibitively expensive and limits exploration.
• Siloed tools: Security, IT, and DevOps each work from different data sources, making unified insight impossible.

How DataPrime Solves It

Modern organizations need clarity across their assets, endpoints, and users: a dynamic picture of identities, overlapping data sources, inconsistent formats, and shifting ownership. Visibility should never stop at services and uptime. 

That’s exactly the kind of chaos DataPrime was built for.

DataPrime lets you query, reshape, and unify any event type in one statement: instead of forcing data to fit a predefined model, you describe the logic you want, and DataPrime shapes the data accordingly.

With DataPrime, teams can:

• Unify fragmented data streams from different systems, like Intune and Kandji, using joins to combine Windows and macOS logs in a single query.
  
• Standardize structures on demand, renaming or reformatting fields such as device_id or assigned_user inline, without changing upstream ingestion.
  
• Embed business logic directly in queries, detecting inactive devices, duplicate assignments, or compliance violations through conditional expressions and joins.
  
• Visualize and act, turning those queries into dashboards and alerts that track compliance and anomalies in real-time.

In short:
“DataPrime doesn’t just observe your environment, it understands it.

Here’s what that looks like in practice — unifying two different data sources into a single, standardized dataset:

source logs
| create is_last_30_days from lastSyncDateTime:timestamp >= @now() - 30d
| filter $l.applicationName == 'Intune'
| filter complianceState == 'compliant'
| choose deviceName, serialNumber, userName, lastSyncDateTime, $l.applicationName
| union (source logs
    | filter $l.applicationName == 'Kandji'
    | create is_last_30_days from last_checkin:timestamp >= @now() - 30d
    | create deviceName from device_name
    | create serialNumber from device_id
    | create userName from user.email
    | create lastSyncDateTime from last_checkin
)
| groupby deviceName, serialNumber, userName, lastSyncDateTime, $l.applicationName as Application
| dedupby serialNumber

This single statement:

• Merged Intune and Kandji logs. 
• Aligned field names.
• Produced a unified view of all devices and their compliance status. 

What It Looked Like In Practice

For this global enterprise, data collection wasn’t the issue, making sense of it was. Their IT team managed thousands of laptops across regions, split between Intune and Kandji. Each system spoke its own language. Even basic identifiers like device_id and last_login didn’t line up.

Simple questions became small projects: How many devices are active? Which users haven’t logged in? Are all machines encrypted and compliant? Every report meant hours of reconciliation across exports and spreadsheets.

With DataPrime, that changed almost immediately.

Here is the logic that powered their compliance and anomaly detection, surfacing inactive or duplicated devices across systems:

source logs
| create is_last_30_days from lastSyncDateTime:timestamp < @now() && lastSyncDateTime:timestamp >= @now() - 30d
| filter is_last_30_days == false
| union (source logs
    | filter $l.applicatioNname == 'Kandji'
    | create is_last_30_days from last_checkin:timestamp < @now() && last_checkin:timestamp >= @now() - 30d
    | create deviceName from device_name
    | create serialNumber from device_id
    | create userName from user.email
    | create lastSyncDateTime from last_checkin
)
| groupby serialNumber agg collect(userName, distinct = true) as names,
                         distinct_count(userName) as users_per_device
| filter users_per_device > 1 using serialNumber into new
| choose serialNumber, deviceName, users_per_device, names, lastSyncDateTime

This query identified devices that hadn’t synced recently and those assigned to multiple users.
Suddenly, everything clicked. At a glance, they could see:

• Total device counts. 
• Compliance status. 
• Inactive users.
• Historical trends. 

What once took weeks of cleanup now took hours.

The Outcome: Real-Time Device Intelligence

Within a single day, the IT team had what they’d always wanted: a live, trustworthy view of every laptop and desktop, Windows or macOS. Each entry carried its user, location, and compliance status.

They could instantly see inactive devices, duplicates, and failed checks. They could zoom out to trends or drill into specifics, all from one dashboard.

Historical data became accessible and useful, revealing patterns before they became problems.

The results were immediate:

• Faster investigations: Security and IT teams could pivot instantly from high-level trends to the raw logs that explained them.
  
• Proactive compliance: Devices that slipped out of policy were flagged automatically, reducing manual checks and audit preparation time.
  
• Cost optimization: Underutilized or unassigned endpoints were quickly identified, revealing real opportunities for hardware savings.

What used to take weeks of reconciliation and spreadsheet wrangling now happened continuously, powered by live queries. Instead of static reports, they had dynamic insights for operational intelligence that evolved with their environment.

Why It Matters

This isn’t just about better dashboards or faster reports. It’s about turning observability into operational intelligence. 

For IT, security, and platform teams, unified device visibility means decisions can be based on real, correlated data, rather than assumptions or spreadsheets. Risk drops. Compliance tightens. Hours once lost to maintenance can now be spent on improvement.

DataPrime makes that shift possible by letting teams express their logic directly where the data lives, with fewer bottlenecks, rigid schemas, or storage tradeoffs. It bridges the gap between fragmented telemetry and real-time insight.

In an era where data grows faster than our ability to structure it, tools that adapt to complexity are no longer optional, they’re essential. This story centers on device tracking, but it represents something much broader: the ability of DataPrime to adapt instantly to any data challenge, expected or not.

DataPrime makes observability what it was always meant to be: fast, flexible, and grounded in reality.

See it live at AWS re:Invent

Come see Dataprime in action and experience how Coralogix is redefining modern observability. Visit us at booth #1739 at AWS re:Invent.