We are having some trouble using the time charts in Azure Kusto.
In this chart we have grouped http exceptions over time.
The issue is that the chart still reports the last seen value for points in time where that exception does not exist.
See red markings.
In this specific case we see that the chart reports 3.23k exceptions on the /poll endpoint at 5:28. while there are in fact no such error at that time.
The query looks like this
AppServiceHTTPLogs
| where TimeGenerated > ago(1d)
| where ScStatus >= 500
| summarize count() by tostring(CsUriStem), bin(TimeGenerated, 30m)
| render timechart
Using a column chart makes the issue go away, but this comes with the price of being much less clear.
Are there any other options?
Can we somehow make missing values default to 0 instead?
You should be able to fill with default zeros using make-series operator:
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/make-seriesoperator
AppServiceHTTPLogs
| where TimeGenerated > ago(1d)
| where ScStatus >= 500
| make-series count() on TimeGenerated from ago(1d) to now() step 30min by tostring(CsUriStem)
| render timechart
Some UX clients do not know how to represent series data - and in this case you can expand it using mv-expand:
AppServiceHTTPLogs
| where TimeGenerated > ago(1d)
| where ScStatus >= 500
| make-series count() on TimeGenerated from ago(1d) to now() step 30min by tostring(CsUriStem)
| mv-expand count_ to typeof(long)
| render timechart
Related
I tried following query to get number of TriggersStarted per hour from last 7 days (24 hour * 7 day == 168 hour values for TriggerStarted values)
I tried using the following query
AzureMetrics
| where TimeGenerated between ( ago(7d) .. endofday(ago(1d)) )
| where MetricName == "TriggersStarted"
| summarize count() by Hour=datetime_part("Hour", TimeGenerated)
| summarize bn = min(count_)
i tweaked in some changes add tried different functions like bin and range functions but i didnt got accurate results. If anyone knows a good approach to get better results please guide me with some kind of examples or by suggesting some functions
I'm assuming you are looking for something like this:
AzureMetrics
| where TimeGenerated between (startofday(ago(7d)) .. endofday(ago(1d)))
| where MetricName == "TriggersStarted"
| summarize count() by bin(TimeGenerated, 1h)
| order by TimeGenerated asc
In Log Analytics in Azure , i select a predefined query for VM Heartbeat, I run the query ok in the editor but when I go to create the alert i keep getting
"The query didn't return the TimeGenerated column. Please edit the query and include the TimeGenerated column."
Its odd becasue it works in the editor and its a predefined query i used from MS? what is the problem here?
// Not reporting VMs
// VMs that have not reported a heartbeat in the last 5 minutes.
// To create an alert for this query, click '+ New alert rule'
Heartbeat
| where TimeGenerated > ago(24h)
| summarize LastCall = max(TimeGenerated) by Computer, _ResourceId
| where LastCall < ago(5m)
Rename LastCall to TimeGenerated and you should be good to go:
Heartbeat
| where TimeGenerated > ago(24h)
| summarize TimeGenerated = max(TimeGenerated) by Computer, _ResourceId
| where TimeGenerated < ago(5m)
I have this search on KUSTO but I have a problem converting to percentile. I am able to convert to Gig/sec but not a percentile. when I did I only getting percentile for a total, not for each one. any help really appreciated.
AzureMetrics
| where ResourceId contains "route"
| where MetricName == "BitsInPerSecond"
| where TimeGenerated > (now() - 60m) and TimeGenerated <= now()
| summarize by Resource, inGigabitPersec=Maximum/100000000
| summarize percentiles(inGigabitPersec, 100)
Thanks
percentiles() is an aggregation function (like count(), sum()), and if you would like to calculate it for each value of 'Resource'. The next example calculates P90, P95, and P100 per-each resource:
AzureMetrics
| where ResourceId contains "route"
| where MetricName == "BitsInPerSecond"
| where TimeGenerated > (now() - 60m) and TimeGenerated <= now()
| extend inGigabitPersec=Maximum/100000000
| summarize percentiles(inGigabitPersec, 90, 95, 100) by Resource
I have two queries: both have similar results. I just want to draw both on one time chart in azure log analytics.
customEvents
| where name startswith "USER_LOGIN"
| extend responseTime_in_sec = todouble(customMeasurements.responseTime)/1000
| summarize avg(responseTime_in_sec) by responseTime_in_sec, bin(timestamp, 1h)
| render timechart
customEvents
| where name startswith "DEPENDENT_SERVICE"
| extend responseTime_in_sec = todouble(customMeasurements.responseTime)/1000
| summarize avg(responseTime_in_sec) by responseTime_in_sec, bin(timestamp, 1h)
| render timechart
As discussed in the comments, sometimes the solution can be quite easy :)
customEvents
| where name startswith "DEPENDENT_SERVICE" or name startswith "USER_LOGIN"
| extend responseTime_in_sec = todouble(customMeasurements.responseTime)/1000
| summarize avg(responseTime_in_sec) by name, responseTime_in_sec, bin(timestamp, 1h)
| render timechart
If the query is more complex than this, often the union operator can help as welll.
I am trying to monitor Azure ASR VM Disk churn & throughput processing.
I can get the last hours worth of VM Churn & Upload rate with the following query:
Perf
| where ObjectName == "ASRAnalytics"
| where InstanceName contains "VMName"
| where TimeGenerated >= ago(1h)
| project TimeGenerated, CounterName, Churn_MBps = todouble(CounterValue)/5242880
| render timechart
This will only get me either a line chart showing what the VM upload activity looked like, or a table of values with columns TimeGenerated, Countername, Churn_MBps
How can I aggregate these values into a single value per counter name (SourceVmThrpRate,SourceVmCurnRate) that will show me the total aggregate Churn or Thrp for the total hour?
Kusto Query has aggregated functions; like count(), avg(), max(), etc - you can read more about Aggregated Functions.
I hope below updated query helps; I have added summarize but I have not validated result as I will have different data.
| summarize avg(Churn_MBps) by bin(TimeGenerated, 1h), CounterName
Perf
| where ObjectName == "ASRAnalytics"
| where InstanceName contains "VMName"
| where TimeGenerated >= ago(1h)
| project TimeGenerated, CounterName, Churn_MBps = todouble(CounterValue) / 5242880
| summarize avg(Churn_MBps) by bin(TimeGenerated, 1h), CounterName
| render timechart