Kusto Query to the earliest timestamp grouped by user_Id - azure

I'm just starting with kusto, and my journey was abruptly stopped by the problem of getting the list of user_Ids with the timestamp of the very first customEvent sent by a user in the given time frame.
How should I modify my query to get the results (let's assume that the limiting timespan is 30days)
customEvents
| where timestamp >= ago(30d)
| summarize min(timestamp)

If you want to get just the min of the timestamp just add the "by" clause:
customEvents
| where timestamp >= ago(30d)
| summarize min(timestamp) by user_Id
If you want to get the full row, use arg_min() function, for example:
customEvents
| where timestamp >= ago(30d)
| summarize arg_min(timestamp, *) by user_Id

Related

Trying to calculate the average on a count of records in my query results

I'm trying to create a query in Application Insights that can show me the absolute and average number of messages in conversations over a particular time period. I'm using the LUIS trace example to get the context+LUIS information, which is where I'm pulling the conversationID from. I can get a table showing the number of messages per conversation, but I would also like to have a average number of messages for the data set. Either static average or rolling average (by pulling in timestamp) would be fine. I can get this value by doing a second summarize statement, but then I lose the granularity from the first. Here is my query.
requests
| where url endswith "messages"
| where timestamp > ago(30d)
| project timestamp, url, id
| parse kind = regex url with *"(?i)http://"botName".azurewebsites.net/api/messages"
| join kind= inner (
traces | extend id = operation_ParentId
) on id
| where message == "LUIS"
| extend convID = tostring(customDimensions.LUIS_botContext_conversation_id)
| order by timestamp desc nulls last
| project timestamp, botName, convID
| summarize messages=count() by conversation=convID
This gives me a table of conversation IDs with the message count for each conversation. I would also like to see the average number of messages per conversation. For example, if I have 4 conversations with 100 messages total, I want to see that the average is 25. I can get this result by doing a second summarize statement | summarize messages=sum(messages), avgMessages=avg(messages), but then of course I can no longer see the individual conversations. Is there any way to see both in the same table?
You can write 2 queries, one for "gives me a table of conversation IDs with the message count for each conversation", and another for " the average number of messages per conversation". And consider use Let statement for your query.
The tricky here is that, in both of the 2 queries, after the summarize statement, add this line of code at the end, like | extend myidentifier="aaa" .
Then you can join the 2 queries by using myidentifier.
I couldn't figure out how to do this without losing granularity from the first list (i.e. I couldn't figure out how to calculate average per period e.g. day), but the following query does at least get me the average across whatever timestamp filter I set, which ultimately gets me at the data I was looking for.
requests
| where url endswith "messages"
| where timestamp > ago(30d)
| project timestamp, url, id
| parse kind = regex url with *"(?i)http://"botName".azurewebsites.net/api/messages"
| join kind= inner (
traces | extend id = operation_ParentId
) on id
| where message == "LUIS"
| extend convID = tostring(customDimensions.LUIS_botContext_conversation_id)
| order by timestamp desc nulls last
| project timestamp, botName, convID
| summarize messages=count() by conversation=convID
| summarize conversations=count(), messageAverage=avg(messages)

How to fix 'empty join will fail query'

I want to show amount of total requests, and the total of the failing requests that are being tracked by ApplicationInsights.
When there are no failing requests in the table, the query will return an empty object (via API, in the portal it will say: ' NO RESULTS FOUND 0 records matched'.)
I've tried setting up a variable which is 0 and give it a new value in the join.
Also I tried to check if the join value is null or empty and gave it a 0 value when so.
But none did help.
requests
| where timestamp > ago(1h)
| summarize totalCount=sum(itemCount) by timestamp
| join (
requests
| where success == false and timestamp > ago(1h)
| summarize totalFailCount =sum(itemCount) by timestamp
) on timestamp
| project timestamp, totalCount, totalFailCount
What I want as a result that if there are no failing requests, totalCount should display 0
It seems that you do not need a join in this case, if you aggregate by timestamp you will get the buckets based on the actual values in this column, most people usually like to count by time "buckets" for example one minute, here is an example for that:
requests
| where timestamp > ago(1h)
| summarize totalCount=count(), totalFailCount = countif(success == false) by bin(timestamp, 1m)

Azure Log Analytics Query with WHERE clause produces no results

I'm querying log entries in Azure Application Insights originating from AppCenter Diagnostics using Azure Log Analytics.
In some log entries i use custom propertys.
Now i'm trying to write a query to show values only with certain properties having a given value.
My original query looks like this and produces the expected result:
customEvents
| where (timestamp >= datetime(2019-02-20T09:04:00.000Z) and timestamp <= datetime(2019-02-21T09:04:00.000Z))
| top 101 by timestamp desc
| project timestamp, name, customDimensions.Properties
| where name == "Navigated to details view"
Hovering over the "productId" property shows a plus-sign which allows to add a filter criteria:
Choosing this options extends my query:
customEvents
| where (timestamp >= datetime(2019-02-20T09:04:00.000Z) and timestamp <= datetime(2019-02-21T09:04:00.000Z))
| top 101 by timestamp desc
| project timestamp, name, customDimensions.Properties
| where name == "Navigated to details view"
| where customDimensions_Properties.productId == 4711
So far, so good. If i now try to run this query i get the message "NO RESULTS FOUND":
Edit:
I also tried adding the where clause on the bottom to the first where clause
customEvents
| where (timestamp >= datetime(2019-02-20T09:04:00.000Z) and timestamp <= datetime(2019-02-21T09:04:00.000Z))
and name == "Navigated to details view"
and customDimensions.Properties.productId == 4711
| top 101 by timestamp desc
| project timestamp, name, customDimensions
Unfortunately no result either.
Edit 2:
I also tried this query to see if i can project the productId property in my query without including it in the where clause:
customEvents
| where (timestamp >= datetime(2019-02-20T09:04:00.000Z) and timestamp <= datetime(2019-02-21T09:04:00.000Z))
and name == "Navigated to details view"
| top 101 by timestamp desc
| project timestamp, name, customDimensions, customDimensions.Properties.productId
But this column is empty:
Is there anything i am missing? Is the tooling a problem and producing a wrong query?
Thank you for any help!
You would have to use various operators like mvexpand and extend to accomplish your requirement. Please find below sample query. Note that the below one is just a sample query which you may have to tweak a bit to make it work as expected and get the expected output (say if you are expecting output with all the columns of the customEvent at a particular timestamp which has particular productId, etc.)
customEvents
| where (timestamp >= datetime(2019-02-20T09:04:00.000Z) and timestamp <= datetime(2019-02-21T09:04:00.000Z))
| top 101 by timestamp desc
| project timestamp, name, customDimensions_Properties
| where name == "Navigated to details view"
| extend CDP_toString=parsejson(tostring(customDimensions_Properties))
| mvexpand CDP_toString
| project CDP_toString
| where CDP_toString.['productId'] == "4711";
Hope this helps!! Cheers!! :)

How to zero-fill charts/bins in Application Insights Analytics

I'm trying to plot an area chart of one sum/count metric over time in Application Insights Analytics:
customEvents
| where timestamp > ago(7d)
| summarize count() by bin(timestamp, 1h)
| render areachart
What I see is that if there is no data in some buckets then chart doesn't drop to 0. Instead two dots are connected and there is perception that there were some data when in fact there were not.
Question - how to get zero-filled area charts (corresponding to red ink chart)?
There are several ways to achieve this.
make-series operator allows to set default value for the periods where no data is present for aggregation:
customEvents
| where timestamp > ago(10m)
| make-series count() default=0 on timestamp in range(ago(10m), now(), 1m)
| render areachart
This will produce zero-filled data array and | render will build the chart accordingly.
If | summarize is preferred, you can create zero-filled range yourself with range operator:
let defaultValue = 0;
range timestamp from floor(ago(10m),1m) to floor(now() + 10m,1m) step 1m
| join kind=leftouter
(
customEvents
| where timestamp > floor(ago(10m),1m) and timestamp < floor(now(),1m)
| summarize Value=count() by bin(timestamp, 1m)
) on timestamp
| project timestamp, value = iff(isnotempty(Value), Value, defaultValue)
| render areachart
Make sure to use join kind=leftouter to have all timestamps from the left side of the join present in output.

Application Insight Analytics Pivot

Is there a way to pivot in Azure Application insight analytic queries? SQL has a Pivot Keyword, can similar be achieved in Application insight Analytics?
When I run the below query I get exceptions and count, but I would like to see a day on day trending
exceptions
| where timestamp >= ago(24h)
| extend Api = replace(#"/(\d+)",#"/xxxx", operation_Name)
| summarize count() by type
| sort by count_ desc
| limit 10
| project Exception = type, Count = count_
I am looking for something below day wise.
The easiest way to achieve something similar to what you need is by using:
exceptions
| where timestamp >= ago(7d)
| summarize count() by type, bin(timestamp, 1d)
This will give in the output one line per-type, per-day. Not exactly what you wanted but it will look good when rendered in graph (will give you a line for each type).
To get a table similar to what you put in your example would be more difficult, but this query should do the trick:
exceptions
| where timestamp >= startofday(ago(3d))
| extend Api = replace(#"/(\d+)",#"/xxxx", operation_Name)
| summarize count() by type, bin(timestamp, 1d)
| summarize
Today = sumif(count_, timestamp == startofday(now())),
Today_1 = sumif(count_, timestamp == startofday(ago(1d))),
Today_2 = sumif(count_, timestamp == startofday(ago(2d))),
Today_3 = sumif(count_, timestamp == startofday(ago(3d)))
by type

Resources