The error I got is
"The Line can't be created as you are missing a column of one of the following types: int, long, decimal, or real"
this is my query" I am looking the chart will display "number of unique resource IDs over time, with an aggregation timespan of 5m"
syslog_CL
| where data_s contains "Reject"
| where hostname_s contains "Network1"
| where TimeGenerated > ago(1hr)
is there any suggestion I can add to the query to get the time chart?
you could try something like this:
syslog_CL
| where data_s contains "Reject"
| where hostname_s contains "Network1"
| where TimeGenerated > ago(1hr)
| summarize dcount(_ResourceId) by bin(TimeGenerated, 5m)
| render timechart
Related
I'm querying log entries in Azure Application Insights originating from AppCenter Diagnostics using Azure Log Analytics.
In some log entries i use custom propertys.
Now i'm trying to write a query to show values only with certain properties having a given value.
My original query looks like this and produces the expected result:
customEvents
| where (timestamp >= datetime(2019-02-20T09:04:00.000Z) and timestamp <= datetime(2019-02-21T09:04:00.000Z))
| top 101 by timestamp desc
| project timestamp, name, customDimensions.Properties
| where name == "Navigated to details view"
Hovering over the "productId" property shows a plus-sign which allows to add a filter criteria:
Choosing this options extends my query:
customEvents
| where (timestamp >= datetime(2019-02-20T09:04:00.000Z) and timestamp <= datetime(2019-02-21T09:04:00.000Z))
| top 101 by timestamp desc
| project timestamp, name, customDimensions.Properties
| where name == "Navigated to details view"
| where customDimensions_Properties.productId == 4711
So far, so good. If i now try to run this query i get the message "NO RESULTS FOUND":
Edit:
I also tried adding the where clause on the bottom to the first where clause
customEvents
| where (timestamp >= datetime(2019-02-20T09:04:00.000Z) and timestamp <= datetime(2019-02-21T09:04:00.000Z))
and name == "Navigated to details view"
and customDimensions.Properties.productId == 4711
| top 101 by timestamp desc
| project timestamp, name, customDimensions
Unfortunately no result either.
Edit 2:
I also tried this query to see if i can project the productId property in my query without including it in the where clause:
customEvents
| where (timestamp >= datetime(2019-02-20T09:04:00.000Z) and timestamp <= datetime(2019-02-21T09:04:00.000Z))
and name == "Navigated to details view"
| top 101 by timestamp desc
| project timestamp, name, customDimensions, customDimensions.Properties.productId
But this column is empty:
Is there anything i am missing? Is the tooling a problem and producing a wrong query?
Thank you for any help!
You would have to use various operators like mvexpand and extend to accomplish your requirement. Please find below sample query. Note that the below one is just a sample query which you may have to tweak a bit to make it work as expected and get the expected output (say if you are expecting output with all the columns of the customEvent at a particular timestamp which has particular productId, etc.)
customEvents
| where (timestamp >= datetime(2019-02-20T09:04:00.000Z) and timestamp <= datetime(2019-02-21T09:04:00.000Z))
| top 101 by timestamp desc
| project timestamp, name, customDimensions_Properties
| where name == "Navigated to details view"
| extend CDP_toString=parsejson(tostring(customDimensions_Properties))
| mvexpand CDP_toString
| project CDP_toString
| where CDP_toString.['productId'] == "4711";
Hope this helps!! Cheers!! :)
I'm trying to plot an area chart of one sum/count metric over time in Application Insights Analytics:
customEvents
| where timestamp > ago(7d)
| summarize count() by bin(timestamp, 1h)
| render areachart
What I see is that if there is no data in some buckets then chart doesn't drop to 0. Instead two dots are connected and there is perception that there were some data when in fact there were not.
Question - how to get zero-filled area charts (corresponding to red ink chart)?
There are several ways to achieve this.
make-series operator allows to set default value for the periods where no data is present for aggregation:
customEvents
| where timestamp > ago(10m)
| make-series count() default=0 on timestamp in range(ago(10m), now(), 1m)
| render areachart
This will produce zero-filled data array and | render will build the chart accordingly.
If | summarize is preferred, you can create zero-filled range yourself with range operator:
let defaultValue = 0;
range timestamp from floor(ago(10m),1m) to floor(now() + 10m,1m) step 1m
| join kind=leftouter
(
customEvents
| where timestamp > floor(ago(10m),1m) and timestamp < floor(now(),1m)
| summarize Value=count() by bin(timestamp, 1m)
) on timestamp
| project timestamp, value = iff(isnotempty(Value), Value, defaultValue)
| render areachart
Make sure to use join kind=leftouter to have all timestamps from the left side of the join present in output.
Is there a way to pivot in Azure Application insight analytic queries? SQL has a Pivot Keyword, can similar be achieved in Application insight Analytics?
When I run the below query I get exceptions and count, but I would like to see a day on day trending
exceptions
| where timestamp >= ago(24h)
| extend Api = replace(#"/(\d+)",#"/xxxx", operation_Name)
| summarize count() by type
| sort by count_ desc
| limit 10
| project Exception = type, Count = count_
I am looking for something below day wise.
The easiest way to achieve something similar to what you need is by using:
exceptions
| where timestamp >= ago(7d)
| summarize count() by type, bin(timestamp, 1d)
This will give in the output one line per-type, per-day. Not exactly what you wanted but it will look good when rendered in graph (will give you a line for each type).
To get a table similar to what you put in your example would be more difficult, but this query should do the trick:
exceptions
| where timestamp >= startofday(ago(3d))
| extend Api = replace(#"/(\d+)",#"/xxxx", operation_Name)
| summarize count() by type, bin(timestamp, 1d)
| summarize
Today = sumif(count_, timestamp == startofday(now())),
Today_1 = sumif(count_, timestamp == startofday(ago(1d))),
Today_2 = sumif(count_, timestamp == startofday(ago(2d))),
Today_3 = sumif(count_, timestamp == startofday(ago(3d)))
by type
I have some data in Application Insights, and I am using the Analytics view to write queries against it.
I can see that I have a trace, the CustomDimensions of which contain a property called ActivityID, which is a guid:
What I want to do is now run another query to return all traces that contain that ActivityId.
Using this as guide, I currently have the following:
union (traces
| extend ActivityId = tostring(customDimensions.ActivityId)
| project ActivityId
| where ActivityId == "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx")
| top 101 by timestamp desc
However, this is returning the following syntax error message:
Failed to resolve 'top' key column
What am I doing wrong? I would also appreciate and an explanation of the error message if possible.
You cannot do a top on projection unless you actually include the timestamp column in the projection.
I did :
union (traces)
| top 101 by timestamp desc
| project session_Id
so this should work
union (traces
| extend ActivityId = tostring(customDimensions.ActivityId)
| where ActivityId == "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx")
| top 101 by timestamp desc
| project ActivityId
and then it works. What is your complete query (I guess there is more since you are using union?)
You must project the 'timestamp' column if you want to use it inside the top.
traces
| extend ActivityId = tostring(customDimensions.ActivityId)
| project ActivityId, timestamp
| where ActivityId == "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
| top 101 by timestamp desc
*Note that you also do not need to use union
I'm trying to create a row in an output table that would calculate percentage of total items:
Something like this:
ITEM | COUNT | PERCENTAGE
item 1 | 4 | 80
item 2 | 1 | 20
I can easily get a table with rows of ITEM and COUNT, but I can't figure out how to get total (5 in this case) as a number so I can calculate percentage in column %.
someTable
| where name == "Some Name"
| summarize COUNT = count() by ITEM = tostring( customDimensions.["SomePar"])
| project ITEM, COUNT, PERCENTAGE = (C/?)*100
Any ideas? Thank you.
It's a bit messy to create a query like that.
I've done it bases on the customEvents table in AI. So take a look and see if you can adapt it to your specific situation.
You have to create a table that contains the total count of records, you then have to join this table. Since you can join only on a common column you need a column that has always the same value. I choose appName for that.
So the whole query looks like:
let totalEvents = customEvents
// | where name contains "Opened form"
| summarize count() by appName
| project appName, count_ ;
customEvents
// | where name contains "Opened form"
| join kind=leftouter totalEvents on appName
| summarize count() by name, count_
| project name, totalCount = count_ , itemCount = count_1, percentage = (todouble(count_1) * 100 / todouble(count_))
If you need a filter you have to apply it to both tables.
This outputs:
It is not even necessary to do a join or create a table containing your totals
Just calculate your total and save it in a let like so.
let totalEvents = toscalar(customEvents
| where timestamp > "someDate"
and name == "someEvent"
| summarize count());
then you can simply add a row to your next table, where you need the percentage calcualtion by doing:
| extend total = totalEvents
This will add a new column to your table filled with the total you calculated.
After that you can calculate the percentages as described in the other two answers.
| extend percentages = todouble(count_)*100/todouble(total)
where count_ is the column created by your summarize count() which you presumably do before adding the percentages.
Hope this also helps someone.
I think following is more intuitive. Just extend the set with a dummy property and do a join on that...
requests
| summarize count()
| extend a="b"
| join (
requests
| summarize count() by name
| extend a="b"
) on a
| project name, percentage = (todouble(count_1) * 100 / todouble(count_))
This might work too:
someTable
| summarize count() by item
| as T
| extend percent = 100.0*count_/toscalar(T | summarize sum(count_))
| sort by percent desc
| extend row_cumsum(percent)