i have a Question about a Query in KQL.
I would like to use a Time at the KQL Query who only shows me the Results between 08:00 and 17:00 Time.
How can i build these at the KQL Query?
Im only find the DateTime Variable but i need only the Time?
Thanks a lot.
Regards,
Phil
The below is the example to show logs between specific time:
let start=datetime("10/26/2022 1:04:27.627 AM");
let end=datetime("10/26/2022 1:22:53.745 AM");
traces
| where timestamp > start and timestamp < end
If you only want timestamp then:
let start=datetime("10/26/2022 1:04:27.627 AM");
let end=datetime("10/26/2022 1:22:53.745 AM");
traces
| where timestamp > start and timestamp < end
| project timestamp
You can give your date and time in end and start in query.
Timestamp%1d will give us only the time part of the day (timespan).
// Data sample generation. Not part of the solution.
let t = materialize (range i from 1 to 20 step 1 | extend Timestamp = ago(7d * rand()));
// Solution starts here.
t
| where Timestamp%1d between (8h .. 17h)
| order by Timestamp%1d asc // Just for display
i
Timestamp
13
2022-10-19T08:26:45.2144968Z
1
2022-10-23T12:00:21.8528635Z
16
2022-10-19T12:50:27.4405648Z
19
2022-10-19T13:00:48.9000836Z
2
2022-10-24T13:19:30.956558Z
8
2022-10-25T13:51:25.726857Z
10
2022-10-22T14:12:09.8304847Z
7
2022-10-25T14:51:14.3011525Z
14
2022-10-20T15:21:04.5173436Z
11
2022-10-20T16:04:06.412613Z
12
2022-10-19T16:48:54.0581289Z
Fiddle
Related
Hi Kusto Query Language(KQL) lovers,
I am trying to write a query in Kusto Query Language (KQL), that can compare count of APIs that failed today in a specific time (lets say 2:30 p.m. to 3 p.m.) with respect to count of APIs that failed yesterday in the same timeframe (2:30 p.m. to 3 p.m.).
For instance, if today, in last 30 min operation X was failed 10 times with failure code 400, I need to see count with which operation X failed today in last 30 minutes (Same time frame).
For this purpose, I used Scalar function bin() and wrote following query that extracts data from request table:
requests
|where timestamp > ago(1d)
| where client_Type != "Browser"
| where (cloud_RoleName == 'X')
| where name != 'HTTP GET'
| where success == false
| summarize count() by bin (timestamp, 1d), name, resultCode
|sort by timestamp
Here is the output I got when using timestamp > ago(1d). This way, I was shown APIs that failed today and yesterday but there is no clear comparison between both dates.
Is there any way I can display count of APIs that failed yesterday on separate Column adjacent to the count_ Column that has count of corresponding APIs that failed today?
I know of project operator that adds extra column but I don't know how to incorporate and assign count of APIs that failed yesterday to project operator.
Kindly add to my knowledge of any relevant function or operator in KQL that can achieve this task.
The other way I tried was to define two variables, startDateTime and endDateTime to get the data of specific time as shown below.
Blank Output when I defined variables to define selected time frame:
let startDateTime = todatetime("2023-02-07 06:35:00.0");
let endDateTime = todatetime("2023-02-07 06:35:00.0");
requests
|where timestamp > startDateTime and timestamp < endDateTime
| where client_Type != "Browser"
| where (cloud_RoleName == 'web-memberappservice-weu-prod')
| where name != 'HTTP GET'
| where success == false
| summarize count() by bin (timestamp, 1d), name, resultCode
|sort by timestamp
I searched about KQL query to compare count of failed APIs for today with respect to count of APIs that failed yesterday and checked some results from Stack overflow which are not helping me in achieving desired result.
I tried these links but queries on these links do not reflect what I want to achieve:
Best way to show today Vs yesterday Vs week in KQL azure monitror
kql query to compare the hour which has minimum number of TriggersStarted from last week to today past hour TriggersStarted
What am I expecting?
I want a query that can display count of APIs that failed yesterday on separate Column adjacent to the count_ Column that has count of corresponding APIs that failed today.
I know of project operator that adds extra column but I don't know how to incorporate and assign count of APIs that failed yesterday to project operator.
Kindly identify any relevant function or operation that can help in this regard.
* The where clause was added for performance reasons.
// Sample data generation. Not part of the solution.
let requests = materialize(range i from 1 to 100000 step 1 | extend timestamp = ago(2d * rand()), name = tostring(dynamic(["PUT", "POST", "PATCH", "GET"])[toint(rand(4))]), resultCode = 400 + toint(rand(3)));
// Solution starts here.
let _period = 30m;
requests
| where timestamp between (ago(_period) .. _period)
or timestamp between (ago(_period + 1d) .. _period)
| summarize todayCount = countif(timestamp between (ago(_period) .. _period))
,YesterdayCount = countif(timestamp between (ago(_period + 1d) .. _period))
by name, resultCode
|sort by name asc, resultCode asc
name
resultCode
todayCount
YesterdayCount
GET
400
91
100
GET
401
98
98
GET
402
109
89
PATCH
400
93
77
PATCH
401
84
85
PATCH
402
74
82
POST
400
78
85
POST
401
96
77
POST
402
85
102
PUT
400
98
81
PUT
401
97
85
PUT
402
77
83
Fiddle
I am trying to add 1 day to a timestamp field.
Below is what I have tried but not working:
select studentid, (course_date + 1) as nextday from students where studentid=123;
select studentid,(course_date/DAY+1DAY) as nextday from students where studentid=123;
Kindly help.
Yes, you can specify a time component along with the date arithmetic. In this case, changing 1 to 1d (one day) solves this:
> SELECT studentid,course_date + 1d as nextday FROM students WHERE studentid=1;
studentid | nextday
-----------+---------------------------------
1 | 2022-01-04 06:00:00.000000+0000
(1 rows)
For more information, I recently wrote a blog post on the use of Arithmetic Operators in Apache Cassandra 4.0 as well as a short video on this topic! Below is a more comprehensive list of the valid time duration codes:
I am using azure customer metrics to store application usage metrics, I am exporting the stats every 5 minutes. I am using the query below to create a aggregated series without any gaps.
I expect the start to be 5/10/2020, 12:00:00.000 AM and end to be 5/14/2020, 12:00:00.000 AM. However in my results, start is fine , but the end is 5/10/2020, 10:35:00.000 AM. I am running this query on 5/13/2020, 4:09:07.878 AM. The min timestamp in my data is 5/11/2020, 12:54:06.489 PM and max is 5/12/2020, 2:32:47.459 PM.
What is wrong with my query? why the make-series wouldn't give rows beyond day 1
let start = floor(ago(1d),1d);
let end = floor(now(+1d),1d);
customMetrics
| where timestamp >= start
| where name == "endpoint_access_count_count_view"
| extend customMetric_valueSum = iif(itemType == 'customMetric',valueSum,todouble(''))
| make-series n_req = sum(customMetric_valueSum) on timestamp from start to end step 5m
| mvexpand n_req,timestamp
| extend timestamp=todatetime(timestamp),n_req=toint(n_req)
mvexpand, unlike mv-expand (note the hyphen), has a default limit of 128 values, so your results get truncated.
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/mvexpandoperator
I have a restaurant log in following format.
Date | Time | Bill Number | Item | Price | Total Orders
The store time is 11 Am to next day 5 am.
which will be over 24 hours.
But I want to calculate 11 am to next day 6 am as a single day.
Currently I am using Filter and sort to do it, but since data is of 2-3 months, is there a formula to sort it out?
For example
Jan 1st 11 am to Jan 2nd 6 am -> I want to calculate these time period as one day.
Solved it
using this
=TRUNC(B2+C2-TIME(6,0,0))
I have a variable minutes that I am having trouble cleaning/standardizing.
It is imported from Excel in a Date Time format, but I just want the minutes. For example, if a player plays 30 minutes and 34 seconds, it's displayed as 30:34 or 30:34:00. However, it's stored in Excel as 6:34 AM (30:34 is interpreted as military time), or 12:34 AM, depending on whether it is 30:34 or 30:34:00. Thus it ends up getting imported into Stata as 6:34 or 12:34, when the value I want is what's displayed (30:34 or 30:34:00). Is there a way for you to format a number in Excel to just be the value that is displayed?
Once it's imported into Stata it's impossible to standardize, because you cannot differentiate a player that plays 30:34 (when it displays 30:34:00) from a player that plays 6:34 (they will both show 6:34).
Please make a greater effort when posting questions. People in capacity to help might ignore the question because it is difficult to understand, because you provide no code (and thus show no effort), because the problem is not reproducible, and more.
Suppose an MS Excel sheet like the following
Then the following should get you started:
clear
set more off
import excel timetest.xls, cellrange(C2:C4) firstrow
gen hour = hh(time)
gen sec = mm(time)
gen realmin = hour + 24
order realmin, before(sec)
list
resulting in
. list
+-------------------------------------------+
| time hour realmin sec |
|-------------------------------------------|
1. | 01jan1900 06:34:00 6 30 34 |
2. | 01jan1900 00:00:00 0 24 0 |
+-------------------------------------------+
See help datetime. This is a must if working with dates and/or time.
Note that adding 24 won't work for any data set.
A general solution takes the form of
clear
set more off
import excel timetest.xls, cellrange(C2:C5) firstrow
gen hour = hh(time)
gen sec = mm(time)
gen t = dofc(time)
format t %td
gen dayselap = t - td(01jan1900) + 1
gen realmin = hour + (24 * dayselap)
drop hour t dayselap
order time realmin
list
For example, this data in MS Excel:
time
30:34:00
24:00:00
58:04:00
65:00:00
will produce
. list
+------------------------------------+
| time realmin sec |
|------------------------------------|
1. | 01jan1900 06:34:00 30 34 |
2. | 01jan1900 00:00:00 24 0 |
3. | 02jan1900 10:04:00 58 4 |
4. | 02jan1900 17:00:00 65 0 |
+------------------------------------+
(There might be an issue with leap years that you are encouraged to research yourself.)
An alternative solution may involve converting the values to text (within MS Excel) and then managing the text within Stata.
I am not at all familiar with Stata.
The problem is that the actual data in Excel is being entered incorrectly. Excel stores dates and times as days + fractions of a day, and then displays it according to the formatting.
So:
30:34 is really 0 hours 30 minutes 34 seconds and is stored as 2.1226851851851854E-2 which is the computation: 30/(24*60)+34/(24*60*60)
However 30:34:00 is really 30 hours, 34 minutes 0 seconds and is stored as 1.273611111111111 which is the computation 30/24+34/(24*60)
Depending on whether it is entered properly as 0:30:34, or improperly as 30:34 determines the value that is stored.
In Excel, you could possibly pre-process the values if you have some test to tell if the data was entered correctly or not.
For example:
=IF(time_unreasonable,A1/60,A1)
would convert the values if they had been incorrectly entered as hours:minutes rather than minutes:seconds.
Other solutions may also be feasible, perhaps even in Stata.