I am very new with the sintaxis of Kusto query. My goal is to create a kusto query to retreive which Logic App has a system error and in which action the error was located. Additionally, I would like to know which connector, this failed action belongs. For example, If the action "Move Email" failed I would like to have the connector name, in this case, Office 365 Outlook or something similar in order to classify the action.
My query to achieve this goal was based on the Table "AzureDiagnostics":
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.LOGIC"
| where Category == "WorkflowRuntime"
| where status_s == "Failed"
| where code_s !has 'ActionFailed'
| where OperationName has "workflowActionCompleted" or OperationName has "workflowTriggerCompleted"
| extend ResourceName = coalesce(resource_actionName_s, resource_triggerName_s)
| extend ResourceCategory = substring(OperationName, 34, strlen(OperationName) - 43)
| project
LogicAppName = resource_workflowName_s,
ResourceCategory,
ResourceName,
LogicAppId = resource_runId_s,
ErrorCode = code_s,
ErrorMessage = error_message_s,
ErrorTime = format_datetime(startTime_t,'dd.MM.yyyy')
The connector name will give me the possibility to classify the failed logic apps and this way I can create a report to show which type of connector we are having issues.
Thanks in advance for your help or another workarround to classify the failed logic apps.
After reproducing from our end, One of the workarounds is that we can fetch the action name of the failed step along with the status using the below query.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.LOGIC"
| where Category == "WorkflowRuntime"
| where status_s == "Failed"
| extend Status = code_s
| project
LogicAppName = resource_workflowName_s,
ResourceRunID = resource_runId_s,
Operation = OperationName,
ActionName = coalesce(resource_actionName_s, resource_triggerName_s),
Status
RESULTS:
Updated Answer
There is no direct way to get the connector's name. One of the workarounds would be using tracked properties to save the connector name and retrieve it through logs. Not a perfect way but this is one of the workarounds that achieves the requirement.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.LOGIC"
| where OperationName == "Microsoft.Logic/workflows/workflowActionCompleted"
| where status_s == "Failed"
| extend Status = code_s
| project
LogicAppName = resource_workflowName_s,
ResourceRunID = resource_runId_s,
Operation = OperationName,
ActionName = coalesce(resource_actionName_s, resource_triggerName_s),
Status,
ConnectorName = trackedProperties_ConnectorName_s
Below is the flow in my logic app
Failed Run
In logs
Related
I am trying to get left outer join or join with extend or mv-expand on Graph API to list all non-compliant disk with specific path (non-comp reason). In other words, extracting fields from policy and fields from resource e.g.-
resources
| where type == "microsoft.compute/disks" and subscriptionId == '3mmmmm333333####e35'
| join kind=leftouter (policyresources
| where type == "microsoft.policyinsights/policystates"
Some resource I am going through are https://www.youtube.com/watch?v=r_3Ydr6fCHQ and https://github.com/globalbao/azure-resource-graph/blob/master/README.md but the join statement to correlate resource query are not working with both outer or join. Maybe I need to narrow down to related item under the resource and resource policy?
Azure Management Talk: Azure Resource Graph Zero to Hero - YouTube
In this session, Microsoft Consultant Billy York will go over the basics of Azure Resource Graph, including how Kusto Query Language (KQL) is used and its li...
If anyone has similar report extraction code with leftouter join between policy with compute resource that would be helpful
KQL join query to extract compliance report from resource. To get some fields from resource and some from compliance related to resource
To achieve, KQL query to extract compliance disk resources:
By referring MSDoc, I've included the relevant part of the query and tried by changing the resource type
"resourceType = "microsoft.compute/disks" , I was able to receive the expected results.
PolicyResources
| where type =~ 'Microsoft.PolicyInsights/PolicyStates'
| extend complianceState = tostring(properties.complianceState)
| extend
resourceId = tostring(properties.resourceId),
resourceType = "microsoft.compute/disks",
policyAssignmentId = tostring(properties.policyAssignmentId),
policyDefinitionId = tostring(properties.policyDefinitionId),
policyDefinitionReferenceId = tostring(properties.policyDefinitionReferenceId),
stateWeight = iff(complianceState == 'NonCompliant', int(300), iff(complianceState == 'Compliant', int(200), iff(complianceState == 'Conflict', int(100), iff(complianceState == 'Exempt', int(50), int(0)))))
| summarize max(stateWeight) by resourceId, resourceType
| summarize counts = count() by resourceType, max_stateWeight
| summarize overallStateWeight = max(max_stateWeight),
nonCompliantCount = sumif(counts, max_stateWeight == 300),
compliantCount = sumif(counts, max_stateWeight == 200),
conflictCount = sumif(counts, max_stateWeight == 100),
exemptCount = sumif(counts, max_stateWeight == 50) by resourceType
| extend totalResources = todouble(nonCompliantCount + compliantCount + conflictCount + exemptCount)
| extend compliancePercentage = iff(totalResources == 0, todouble(100), 100 * todouble(compliantCount + exemptCount) / totalResources)
| project resourceType,
overAllComplianceState = iff(overallStateWeight == 300, 'noncompliant', iff(overallStateWeight == 200, 'compliant', iff(overallStateWeight == 100, 'conflict', iff(overallStateWeight == 50, 'exempt', 'notstarted')))),
compliancePercentage,
compliantCount,
nonCompliantCount,
conflictCount,
exemptCount
Output:
I've pulled up all the relevant fields here, but you can extend and project the fields you want based on your requirements.
I am using azure log analytics workspaces and are trying to write a simple query to get the exception message when a azure function fails.
This is the query I am using
union AppTraces
| union AppExceptions
| union AppRequests
| where AppRoleName has "-NEU"
| where TimeGenerated > ago(1d)
//| where Success == "false"
| order by TimeGenerated asc
| project
Success,
TimeGenerated,
AppRoleName,
message = iff(Message != '', Message, iff(InnermostMessage != '', InnermostMessage, Properties.['prop__{OriginalFormat}'])),
logLevel = Properties.['LogLevel']
| where logLevel != "Information"
The problem is that Success property is always empty and I expect it to be either true or false, I am using the Success property in other queries and it works just fine, for example as follows:
AppRequests
| project TimeGenerated, OperationName, Success, ResultCode, DurationMs, AppRoleName
| where AppRoleName has "NEU"
| where OperationName != "MinimumAppVersionHead" and OperationName != "QueueManagerHead"
| where Success != "true"
| order by TimeGenerated desc
| take 20
In the above case the Success where clause works as expected
Why is it not working in the first query?
Please check the below workaround it may help , we have tried with a simple query to check whether the success property is working or not. It works successfully using below query in logs with true and false.
As its works with second query it means you have added log analytics workspace for your function app successfully.
It seems there is an issue with "" , //| where Success == "false" instead of that try to remove the comment(//) and remove "" and use as below sample format in your query.
requests
| where success == false
| summarize failedCount=sum(itemCount), impactedUsers=dcount(user_Id) by operation_Name
| order by failedCount desc
We have tried with different output with success property as yours in the first query and getting no results . And by removing "" it works at our end.
Here are the below sample screenshots of output:-
OUTPUT OF THE GIVEN QUERY FOR FUNCTION APP FAILURE:
For more information please refer the below links:-
MS DOC| View and query your Function app logs
BLOG| Alerts on Azure Function failures
I have this query that works in Azure logs when i set the scope to the specific application insights I want to use
let usg_events = dynamic(["*"]);
let mainTable = union pageViews, customEvents, requests
| where timestamp > ago(1d)
| where isempty(operation_SyntheticSource)
| extend name =replace("\n", "", name)
| where '*' in (usg_events) or name in (usg_events)
;
let queryTable = mainTable;
let cohortedTable = queryTable
| extend dimension =tostring(client_CountryOrRegion)
| extend dimension = iif(isempty(dimension), "<undefined>", dimension)
| summarize hll = hll(user_Id) by tostring(dimension)
| extend Users = dcount_hll(hll)
| order by Users desc
| serialize rank = row_number()
| extend dimension = iff(rank > 5, 'Other', dimension)
| summarize merged = hll_merge(hll) by tostring(dimension)
| project ["Country or region"] = dimension, Counts = dcount_hll(merged);
cohortedTable
but trying to use the same in grafana just gives an error.
"'union' operator: Failed to resolve table expression named 'pageViews'"
Which is the same i get in azure logs if i dont set the scope to the specific application insights resource. So my question is. how do i make it so grafana targets this specific scope inside the logs? The query jsut gets the countries of the users that log in
As far as I know, Currently, there is no option/feature to add Scope in Grafana.
The Scope is available only in the Azure Log Analytics Workspace.
If you want the Feature/Resolution, please raise a ticket in Grafana Community where all the issues are officially addressed.
Have a question about how could I show success rate on Azure Dashboard.
If I have single temeletry event that indicates success or failure - it's quite simple:
customEvents
| where name == "ResponseEvent" and customDimensions.Condition == "test"
| summarize count() by tostring(customDimensions.State) //State could be Success|Failure
| render piechart
But in my case - I have 2 events: RequestEvent, SuccessResponseEvent and from those two I want to get success rate, something like: successRate = 100*successCount/requestCount.
I end up with this join:
customEvents
| where name == "RequestEvent" and customDimensions.Condition == "test"
| summarize requestCount = count()
| extend joinField = "1"
| join ( customEvents
| where name == "SuccessResponseEvent" and customDimensions.Condition == "test"
| summarize successCount = count()
| extend joinField = "1")
on joinField
| extend successRate = (100 * successCount / requestCount)
//////| extend failureRate = 100 - successRate
| project successRate
| render table
I got the value I need, but I only manage to display it as table, while I need a piechart.
I thought about adding union:
let success = view () { print x=toint(80) };
let failure = view () { print x=toint(20) };
union withsource=TableName success, failure
| render piechart
But I don't see how to do this in my request.
Or create variables using let statement and try to calculate everything and join using materialize(createRequestRecieved), but it causes quite a lot of errors and I hope some simple way exists.
Question is: maybe somebody could point me to how I could achieve this: calculate one value, maybe display it as two values (success and 100-success) and arrange them in format valid for "render piechart" operator?
And second question, not so important: could I join them by some existing field? Whey I'm trying to use joinField = tostring(customDimensions.MappingField) I'm getting an error: Ensure that expression: customDimensions.MappingField is indeed a simple name
If you are going for a piechart, it would require a string legend field and a value on each row for that legens, so union of two results should work:
requests
| summarize Success = sumif(itemCount, success == true)
| project Legend = "Success", Value = Success
| union
(requests
| summarize Failed = sumif(itemCount, success == false)
| project Legend = "Failed", Value = Failed )
| render piechart
Going for a barchart would allow to use both summarize clauses in one query without join/union and may speed up performance:
requests
| summarize Success = sumif(itemCount, success == true), Failed = sumif(itemCount, success == false)
| project Legend = "Status", Success, Failed
| render barchart
Similarly, to calculate the rate in the same query:
requests
| summarize Success = sumif(itemCount, success == true), Failed = sumif(itemCount, success == false)
| extend SuccessRate = Success * 1.0 / (Success + Failed)
I'm quite sure it's not the best option an I'm mising something in this query language capabilities, but I could put my request in variable, apply some caching and repeat it twice, I suppose:
let dataSource = customEvents
| where name == "RequestEvent" and customDimensions.Condition == "test"
| summarize requestCount = count()
| extend joinField = "1"
| join ( customEvents
| where name == "SuccessResponseEvent" and customDimensions.Condition == "test"
| summarize successCount = count()
| extend joinField = "1")
on joinField
| extend successRate = (100 * successCount / requestCount)
| extend failureRate = 100 - successRate;
let cacheddataSource = materialize(dataSource);
cacheddataSource
| project Legend = "Success", Value = successRate
| union (
dataSource
|project Legend = "Failure", Value = failureRate
)
| render piechart
So, let and materialize more or less helps, maybe some tweaks will be necessary to display actual amount of successes and failures.
I'm trying to create a custom metric alert based on some metrics in my Application Insights logs. Below is the query I'm using;
let start = customEvents
| where customDimensions.configName == "configName"
| where name == "name"
| extend timestamp, correlationId = tostring(customDimensions.correlationId), configName = tostring(customDimensions.configName);
let ending = customEvents
| where customDimensions.configName == configName"
| where name == "anotherName"
| where customDimensions.taskName == "taskName"
| extend timestamp, correlationId = tostring(customDimensions.correlationId), configName = tostring(customDimensions.configName), name= name, nameTimeStamp= timestamp ;
let timeDiffs = start
| join (ending) on correlationId
| extend timeDiff = nameTimeStamp- timestamp
| project timeDiff, timestamp, nameTimeStamp, name, anotherName, correlationId;
timeDiffs
| summarize AggregatedValue=avg(timeDiff) by bin(timestamp, 1m)
When I run this query in Analytics page, I get results, however when I try to create a custom metric alert, I got the error Search Query should contain 'AggregatedValue' and 'bin(timestamp, [roundTo])' for Metric alert type
The only response I found was adding AggregatedValue which I already have, I'm not sure why custom metric alert page is giving me this error.
I found what was wrong with my query. Essentially, aggregated value needs to be numeric, however AggregatedValue=avg(timeDiff) produces time value, but it was in seconds, so it was a bit hard to notice. Converting it to int solves the problem,
I have just updated last bit as follows
timeDiffs
| summarize AggregatedValue=toint(avg(timeDiff)/time(1ms)) by bin(timestamp, 5m)
This brings another challenge on Aggregate On while creating the alert as AggregatedValue is not part of the grouping that is coming after by statement.