I have this search on KUSTO but I have a problem converting to percentile. I am able to convert to Gig/sec but not a percentile. when I did I only getting percentile for a total, not for each one. any help really appreciated.
AzureMetrics
| where ResourceId contains "route"
| where MetricName == "BitsInPerSecond"
| where TimeGenerated > (now() - 60m) and TimeGenerated <= now()
| summarize by Resource, inGigabitPersec=Maximum/100000000
| summarize percentiles(inGigabitPersec, 100)
Thanks
percentiles() is an aggregation function (like count(), sum()), and if you would like to calculate it for each value of 'Resource'. The next example calculates P90, P95, and P100 per-each resource:
AzureMetrics
| where ResourceId contains "route"
| where MetricName == "BitsInPerSecond"
| where TimeGenerated > (now() - 60m) and TimeGenerated <= now()
| extend inGigabitPersec=Maximum/100000000
| summarize percentiles(inGigabitPersec, 90, 95, 100) by Resource
Related
I'm having calculated columns in my kusto query. Now one of the column name is 'GET /dbs//colls//pkranges'. While running my query I'm facing this error
Semantic error: Unsupported calculated column name GET /dbs/*/colls/*/pkranges Kusto
Can someone help in replacing the column name dynamically or while the calculation itself?
My query is below
dependencies
| where operation_Id in (operation_ids)
| where timestamp > ago(7d)
| summarize duration_list=make_list_with_nulls(duration) by tostring(name), operation_Id
| extend p = pack(tostring(name), duration_list)
| summarize bag = make_bag(p) by operation_Id
| evaluate bag_unpack(bag);
Thanks in advance!!
you can replace the invalid character (* in this case) in the key with something else, as follows, using replace_string():
dependencies
| where operation_Id in (operation_ids)
| where timestamp > ago(7d)
| summarize duration_list=make_list_with_nulls(duration) by tostring(name), operation_Id
| extend p = pack(replace_string(name, '*', '_'), duration_list)
| summarize bag = make_bag(p) by operation_Id
| evaluate bag_unpack(bag);
I have a query that fetches the number of unique vulnerabilities found in our images in our Azure Container Registry:
securityresources
| where type == 'microsoft.security/assessments/subassessments'
| where id matches regex '(.+?)/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648/'
| parse id with registryResourceId '/providers/Microsoft.Security/assessments/' *
| parse registryResourceId with * "/providers/Microsoft.ContainerRegistry/registries/" registryName
| extend imageDigest = tostring(properties.additionalData.imageDigest), repository = tostring(properties.additionalData.repositoryName)
| project
registryName,
repository,
imageDigest,
severity = properties.status.severity,
vulnId = properties.id,
displayName = properties.displayName,
description = properties.description,
remediation = properties.remediation,
category = properties.category,
impact = properties.impact,
timeGenerated = properties.timeGenerated
| distinct tostring(vulnId)
| summarize count()
I would like to have a graph that shows the number of vulnerabilities over a period of time so we can see (visually) that the number of vulnerabilities are going down (or up), but I have no clue on how to do this. Hopefully someone can help me in achieving this.
instead of distinct tostring(vulnId) | summarize count(), try either of the following:
summarize dcount() by bin(timeGenerated, 1h)
make-series dcount() on timeGenerated step 1h
and then add a | render timechart at the end
e.g:
securityresources
| where type == 'microsoft.security/assessments/subassessments'
| where id matches regex '(.+?)/providers/Microsoft.Security/assessments/dbd0cb49-b563-5e7-9724-889e799fa648/'
| extend vulnId = tostring(properties.id)
| summarize dcount(vulnId) by bin(timeGenerated, 1h)
| render timechart
I'd like to look at the app gateway 500 error logs over the last x number of days. But for those x number of days, I'd only like to see the logs that came in between 11:00 and 13:00 UTC. How can I do this? Here's what I have so far but it's not working.
AzureDiagnostics
| where TimeGenerated > ago(7d) and TimeGenerated between (datetime(11:00:00) .. datetime(13:00:00))
| where ResourceType == "APPLICATIONGATEWAYS" and httpStatus_d > 499
| where host_s == "my.website.com"
| summarize count() by clientIP_s, bin(TimeGenerated, 5m)
Obviously the second like (Timegenerated) is wrong. Can someone please advise on how to do this?
Thanks!
You could use hourofday(): https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/hourofdayfunction
For example:
AzureDiagnostics
| where TimeGenerated > ago(7d)
| where hourofday(TimeGenerated) between (11 .. 12) // 11:00 AM -> 12:59 PM
| where host_s == "my.website.com"
| where ResourceType == "APPLICATIONGATEWAYS"
| where httpStatus_d > 499
| summarize count() by clientIP_s, bin(TimeGenerated, 5m)
I'm trying to query some Azure Application Gateway related things from Azure Log Analytics.
I get for a query like this results for every single http status code:
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayAccessLog"
| summarize count() by httpStatus_d, Resource
Now I need those results grouped for 2xx, 3xx, 4xx and 5xx.
New to Kusto I don't find the right approach to achieve this.
Thanks for your hints!
you could try using the bin() function, e.g.:
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayAccessLog"
| summarize count() by bin(httpStatus_d, 100), Resource
Thanks to #yoni who sent me into the right direction.
I solved this like this:
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayAccessLog"
| extend HTTPStatus = case(httpStatus_d between (200 .. 299), "2XX",
httpStatus_d between (300 .. 399), "3XX",
httpStatus_d between (400 .. 499), "4XX",
"5XX")
| summarize count() by HTTPStatus, bin(timeStamp_t, 1h)
| render timechart
Group by all httpStatus_d values automatically.
AzureDiagnostics
| where TimeGenerated > ago(30d)
| summarize count=count() by httpStatus_d
| order by httpStatus_d asc
We are having some trouble using the time charts in Azure Kusto.
In this chart we have grouped http exceptions over time.
The issue is that the chart still reports the last seen value for points in time where that exception does not exist.
See red markings.
In this specific case we see that the chart reports 3.23k exceptions on the /poll endpoint at 5:28. while there are in fact no such error at that time.
The query looks like this
AppServiceHTTPLogs
| where TimeGenerated > ago(1d)
| where ScStatus >= 500
| summarize count() by tostring(CsUriStem), bin(TimeGenerated, 30m)
| render timechart
Using a column chart makes the issue go away, but this comes with the price of being much less clear.
Are there any other options?
Can we somehow make missing values default to 0 instead?
You should be able to fill with default zeros using make-series operator:
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/make-seriesoperator
AppServiceHTTPLogs
| where TimeGenerated > ago(1d)
| where ScStatus >= 500
| make-series count() on TimeGenerated from ago(1d) to now() step 30min by tostring(CsUriStem)
| render timechart
Some UX clients do not know how to represent series data - and in this case you can expand it using mv-expand:
AppServiceHTTPLogs
| where TimeGenerated > ago(1d)
| where ScStatus >= 500
| make-series count() on TimeGenerated from ago(1d) to now() step 30min by tostring(CsUriStem)
| mv-expand count_ to typeof(long)
| render timechart