I need to write a query to see results that are over 15 days old. I have this code where I am getting the avg_duration in the timespan format (15.04:01:02). I want to now filter based off of avg_duration to only return results over 15 days old.
| summarize arg_max(TimeGenerated, *) by ResourceId, RecommendationId, Severity
| order by RecommendationId asc, TimeGenerated asc
| extend duration = iff(RecommendationId == prev(RecommendationId), TimeGenerated - prev(TimeGenerated), 0s)
| summarize avg(duration) by ResourceId, RecommendationId, Severity
| where avg_duration >= "15.0:0:0"
When I run this in log Analytics I get the error "Cannot compare values of types timespan and long. Try adding explicit casts". Any ideas how I can filter timespan?
Instead of:
| where avg_duration >= "15.0:0:0"
you should write
| where avg_duration >= 15d // note that 15d stands for 15 days
See more details on how to write timespan literals here.
Related
I am trying to create an alert for throttled message in eventhub. And the query i am using is:
AzureMetrics
| where TimeGenerated > ago(30m)
| where MetricName == "OutgoingMessages" or MetricName == "IncomingMessages"
| extend Total_Outgoing_Messages = iif(MetricName == "OutgoingMessages", Total, 0.00)
| extend Total_Incoming_Messages = iif(MetricName == "IncomingMessages", Total, 0.00)
| summarize sum(Total_Outgoing_Messages), sum(Total_Incoming_Messages) by TimeGenerated
| extend Throttled_messages = abs(sum_Total_Incoming_Messages - sum_Total_Outgoing_Messages)
| extend condition = Throttled_messages > 10 and Throttled_messages < 25
I am trying to create an alert which should be fired when throttled message is between > 10 and < 25. My condition column is giving me either true or false
Could someone please check my kql? whether i am heading to right direction or not
Thanks
by TimeGenerated doesn't seem to make sense.
Either use bin, e.g. by bin(TimeGenerated, 5m), or remove it completely, dependent on your alert logic.
a Syntax comment -
No need for extend ... iif(...) ... as a preparation for the summarize sum(...).
You can simply use sumif()
I have the following script:
let StartTime = datetime(2022-02-18 10:10:00 AM);
let EndTime = datetime(2022-02-18 10:15:00 AM);
MachineEvents
| where Timestamp between (StartTime .. EndTime)
| where Id == "00112233" and Name == "Higher"
| top 2 by Timestamp
| project Timestamp, Value
I got the following result:
What I am trying to achieve after that is to check if the last Value received (in this case for example it is 15451.433) is less than 30,000. If the condition is true, then I should check again the difference between the last two consecutive values (in this case : 15451.433 - 15457.083). If the difference is < 0 then I should return the Value as true, else it should return as false (by other words the Value should give a boolean value instead of double as shown in the figure)
datatable(Timestamp:datetime, Value:double)
[
datetime(2022-02-18 10:15:00 AM), 15457.083,
datetime(2022-02-18 10:14:00 AM), 15451.433,
datetime(2022-02-18 10:13:00 AM), 15433.333,
datetime(2022-02-18 10:12:00 AM), 15411.111
]
| top 2 by Timestamp
| project Timestamp, Value
| extend nextValue=next(Value)
| extend finalResult = iff(Value < 30000, nextValue - Value < 0, false)
| top 1 by Timestamp
| project finalResult
Output:
finalResult
1
You can use the prev() function (or next()) to process the values in the other rows.
...
| extend previous = prev(value)
| extend diff = value - previous
| extend isPositive = diff > 0
You might need to use serialize if you don't have something like top that already does that for you.
I've been getting these alerts lately, however if I search events in my Application Insights account, I only have 5 events in the last 24 hours, and 7 events in the last 48 hours. The largest event contains a 660 characters long message. I doubt these events are close to 33 MB, which is equivalent to 0.0323 GB, right?
Am I misunderstanding something?
I found the Application Insights Analytics tool:
In the Analytics page, I noticed not all the tables were included in the query. Once I included the missing tables, I realized that 29,430 performanceCounter events and 88,290 customMetric events have been created in the last 48 hours.
Query:
union (traces
| where timestamp >= datetime(2018-06-22T07:40:59.999Z) and timestamp < datetime(2018-06-24T07:41:00.001Z)), (customEvents
| where timestamp >= datetime(2018-06-22T07:40:59.999Z) and timestamp < datetime(2018-06-24T07:41:00.001Z)), (pageViews
| where timestamp >= datetime(2018-06-22T07:40:59.999Z) and timestamp < datetime(2018-06-24T07:41:00.001Z)), (requests
| where timestamp >= datetime(2018-06-22T07:40:59.999Z) and timestamp < datetime(2018-06-24T07:41:00.001Z)), (dependencies
| where timestamp >= datetime(2018-06-22T07:40:59.999Z) and timestamp < datetime(2018-06-24T07:41:00.001Z)), (availabilityResults
| where timestamp >= datetime(2018-06-22T07:40:59.999Z) and timestamp < datetime(2018-06-24T07:41:00.001Z)), (exceptions
| where timestamp >= datetime(2018-06-22T07:40:59.999Z) and timestamp < datetime(2018-06-24T07:41:00.001Z)), (customMetrics
| where timestamp >= datetime(2018-06-22T07:40:59.999Z) and timestamp < datetime(2018-06-24T07:41:00.001Z)), (performanceCounters
| where timestamp >= datetime(2018-06-22T07:40:59.999Z) and timestamp < datetime(2018-06-24T07:41:00.001Z)), (browserTimings
| where timestamp >= datetime(2018-06-22T07:40:59.999Z) and timestamp < datetime(2018-06-24T07:41:00.001Z))
//| top 101 by timestamp desc
| summarize count() by itemType
Results:
itemType count_
performanceCounter 29,430
request 2
customMetric 88,290
trace 5
I guess this explains the alert I've been receiving.
I am trying a query which groups the data by months.
test_db=# select date_trunc('month', install_ts) AS month, count(id) AS count from api_booking group by month order by month asc;
month | count
------------------------+-------
2016-08-01 00:00:00+00 | 297
2016-09-01 00:00:00+00 | 2409
2016-10-01 00:00:00+00 | 2429
2016-11-01 00:00:00+00 | 3512
(4 rows)
This is the output in my postgres db shell.
How ever, when I try this query in excel, this is the output,
month | count
------------------------+-------
2016-07-31 17:00:00+00 | 297
2016-08-31 17:00:00+00 | 2409
2016-09-30 17:00:00+00 | 2429
2016-10-31 17:00:00+00 | 3512
(4 rows)
The problem is I think excel is understanding date format in some different timezone.
So, How can I tell excel to read it correctly?
OR any solution to this problem?
Try...
select date(date_trunc('month', install_ts)) AS month, count(id) AS count from api_booking
The date() strips out the time from a date with a time.
Googling it a bit I found this to be an interesting question. Would like you guys shots.
Having my table
USER | MAP | STARTDAY | ENDDAY
1 | A | 20110101 | 20110105
1 | B | 20110106 | 20110110
2 | A | 20110101 | 20110107
2 | B | 20110105 | 20110110
Whant I want is to fix user's 2 case, where maps A and B overlaps by a couple days (from 20110105 until 20110107).
I wish I was able to query that table in a way that it never return overlapping ranges. My input data is falky already, so I don't have to worry with the conflict treatment, I just want to be able to get a single value for any given BETWEEN these dates.
Possible outputs for the query I'm trying to build would be like
USER | MAP | STARTDAY | ENDDAY
2 | B | 20110108 | 20110110 -- pushed overlapping days ahead..
2 | A | 20110101 | 20110104 -- shrunk overlapping range
It doesn't even matter if the algorithm causes "invalid ranges", e.g. Start = 20110105, End = 20110103, I'll just put null when I get to these cases.
What would you guys say? Any straight forward way to get this done?
Thanks!
f.
Analytic functions could help:
select userid, map
, case when prevend >= startday then prevend+1 else startday end newstart
, endday
from
( select userid, map, startday, endday
, lag(endday) over (partition by userid order by startday) prevend
from mytable
)
order by userid, startday
Gives:
USERID MAP NEWSTART ENDDAY
1 A 01/01/2011 01/05/2011
1 B 01/06/2011 01/10/2011
2 A 01/01/2011 01/07/2011
2 B 01/08/2011 01/10/2011