I am trying to create an alert for throttled message in eventhub. And the query i am using is:
AzureMetrics
| where TimeGenerated > ago(30m)
| where MetricName == "OutgoingMessages" or MetricName == "IncomingMessages"
| extend Total_Outgoing_Messages = iif(MetricName == "OutgoingMessages", Total, 0.00)
| extend Total_Incoming_Messages = iif(MetricName == "IncomingMessages", Total, 0.00)
| summarize sum(Total_Outgoing_Messages), sum(Total_Incoming_Messages) by TimeGenerated
| extend Throttled_messages = abs(sum_Total_Incoming_Messages - sum_Total_Outgoing_Messages)
| extend condition = Throttled_messages > 10 and Throttled_messages < 25
I am trying to create an alert which should be fired when throttled message is between > 10 and < 25. My condition column is giving me either true or false
Could someone please check my kql? whether i am heading to right direction or not
Thanks
by TimeGenerated doesn't seem to make sense.
Either use bin, e.g. by bin(TimeGenerated, 5m), or remove it completely, dependent on your alert logic.
a Syntax comment -
No need for extend ... iif(...) ... as a preparation for the summarize sum(...).
You can simply use sumif()
Related
I have the following script:
let StartTime = datetime(2022-02-18 10:10:00 AM);
let EndTime = datetime(2022-02-18 10:15:00 AM);
MachineEvents
| where Timestamp between (StartTime .. EndTime)
| where Id == "00112233" and Name == "Higher"
| top 2 by Timestamp
| project Timestamp, Value
I got the following result:
What I am trying to achieve after that is to check if the last Value received (in this case for example it is 15451.433) is less than 30,000. If the condition is true, then I should check again the difference between the last two consecutive values (in this case : 15451.433 - 15457.083). If the difference is < 0 then I should return the Value as true, else it should return as false (by other words the Value should give a boolean value instead of double as shown in the figure)
datatable(Timestamp:datetime, Value:double)
[
datetime(2022-02-18 10:15:00 AM), 15457.083,
datetime(2022-02-18 10:14:00 AM), 15451.433,
datetime(2022-02-18 10:13:00 AM), 15433.333,
datetime(2022-02-18 10:12:00 AM), 15411.111
]
| top 2 by Timestamp
| project Timestamp, Value
| extend nextValue=next(Value)
| extend finalResult = iff(Value < 30000, nextValue - Value < 0, false)
| top 1 by Timestamp
| project finalResult
Output:
finalResult
1
You can use the prev() function (or next()) to process the values in the other rows.
...
| extend previous = prev(value)
| extend diff = value - previous
| extend isPositive = diff > 0
You might need to use serialize if you don't have something like top that already does that for you.
I need to write a query to see results that are over 15 days old. I have this code where I am getting the avg_duration in the timespan format (15.04:01:02). I want to now filter based off of avg_duration to only return results over 15 days old.
| summarize arg_max(TimeGenerated, *) by ResourceId, RecommendationId, Severity
| order by RecommendationId asc, TimeGenerated asc
| extend duration = iff(RecommendationId == prev(RecommendationId), TimeGenerated - prev(TimeGenerated), 0s)
| summarize avg(duration) by ResourceId, RecommendationId, Severity
| where avg_duration >= "15.0:0:0"
When I run this in log Analytics I get the error "Cannot compare values of types timespan and long. Try adding explicit casts". Any ideas how I can filter timespan?
Instead of:
| where avg_duration >= "15.0:0:0"
you should write
| where avg_duration >= 15d // note that 15d stands for 15 days
See more details on how to write timespan literals here.
We have 2 customlogs in loganalytics out of that I am able to get avg of each one and I need to merge those 2 and make it as 1 means avg of vpn+url
workspace(name).vpn_CL
| extend healty=iff(Status_s == 'Connected' , 100 , 0)
| summarize vpn = avg(healty) by EnvName_s, ClientName_s
|
join
(
workspace(name).url_CL
| extend Availability=iff(StatusDescription_s == 'OK' , 100 , 0)
| summarize URL=avg(Availability) by EnvName_s, ClientName_s
) on ClientName_s
| project Client=ClientName_s, Environment=EnvName_s , vpn , URL
Based on my understanding, I think the value of the average of vpn+url is the result of plus vpn value with url value when the number of healty entites is equals to the number of Availability entites.
Otherwise, if their entites quantity are not equal, the average of the two labels is a expected value based on their probabilities,
Then,
workspace(name).vpn_CL
| extend healty=iff(Status_s == 'Connected' , 100 , 0)
| summarize m = count(), vpn = avg(healty) by EnvName_s, ClientName_s
|
join
(
workspace(name).url_CL
| extend Availability=iff(StatusDescription_s == 'OK' , 100 , 0)
| summarize n = count(), URL=avg(Availability) by EnvName_s, ClientName_s
) on ClientName_s
| project Client=ClientName_s, Environment=EnvName_s , vpn , URL, avgOfVpnUrl = vpn*m/(m+n)+url*n/(m+n)
Hope it helps.
I have a query like;
example_CL
| where field1 == "name"
| top 1 by TimeGenerated desc
Gives me the latest row with the latest value of "name" like;
name quota used
samplename 100 75
I'm trying to make a donut chart which shows 75/100.
would this work?
datatable(field1:string, quota:int, used:int)
[
"somename", 100, 75
]
| project used, unsued = quota - used
| evaluate narrow()
| project Column, toint(Value)
| render piechart
Googling it a bit I found this to be an interesting question. Would like you guys shots.
Having my table
USER | MAP | STARTDAY | ENDDAY
1 | A | 20110101 | 20110105
1 | B | 20110106 | 20110110
2 | A | 20110101 | 20110107
2 | B | 20110105 | 20110110
Whant I want is to fix user's 2 case, where maps A and B overlaps by a couple days (from 20110105 until 20110107).
I wish I was able to query that table in a way that it never return overlapping ranges. My input data is falky already, so I don't have to worry with the conflict treatment, I just want to be able to get a single value for any given BETWEEN these dates.
Possible outputs for the query I'm trying to build would be like
USER | MAP | STARTDAY | ENDDAY
2 | B | 20110108 | 20110110 -- pushed overlapping days ahead..
2 | A | 20110101 | 20110104 -- shrunk overlapping range
It doesn't even matter if the algorithm causes "invalid ranges", e.g. Start = 20110105, End = 20110103, I'll just put null when I get to these cases.
What would you guys say? Any straight forward way to get this done?
Thanks!
f.
Analytic functions could help:
select userid, map
, case when prevend >= startday then prevend+1 else startday end newstart
, endday
from
( select userid, map, startday, endday
, lag(endday) over (partition by userid order by startday) prevend
from mytable
)
order by userid, startday
Gives:
USERID MAP NEWSTART ENDDAY
1 A 01/01/2011 01/05/2011
1 B 01/06/2011 01/10/2011
2 A 01/01/2011 01/07/2011
2 B 01/08/2011 01/10/2011