I am using azure customer metrics to store application usage metrics, I am exporting the stats every 5 minutes. I am using the query below to create a aggregated series without any gaps.
I expect the start to be 5/10/2020, 12:00:00.000 AM and end to be 5/14/2020, 12:00:00.000 AM. However in my results, start is fine , but the end is 5/10/2020, 10:35:00.000 AM. I am running this query on 5/13/2020, 4:09:07.878 AM. The min timestamp in my data is 5/11/2020, 12:54:06.489 PM and max is 5/12/2020, 2:32:47.459 PM.
What is wrong with my query? why the make-series wouldn't give rows beyond day 1
let start = floor(ago(1d),1d);
let end = floor(now(+1d),1d);
customMetrics
| where timestamp >= start
| where name == "endpoint_access_count_count_view"
| extend customMetric_valueSum = iif(itemType == 'customMetric',valueSum,todouble(''))
| make-series n_req = sum(customMetric_valueSum) on timestamp from start to end step 5m
| mvexpand n_req,timestamp
| extend timestamp=todatetime(timestamp),n_req=toint(n_req)
mvexpand, unlike mv-expand (note the hyphen), has a default limit of 128 values, so your results get truncated.
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/mvexpandoperator
Related
Hi Kusto Query Language(KQL) lovers,
I am trying to write a query in Kusto Query Language (KQL), that can compare count of APIs that failed today in a specific time (lets say 2:30 p.m. to 3 p.m.) with respect to count of APIs that failed yesterday in the same timeframe (2:30 p.m. to 3 p.m.).
For instance, if today, in last 30 min operation X was failed 10 times with failure code 400, I need to see count with which operation X failed today in last 30 minutes (Same time frame).
For this purpose, I used Scalar function bin() and wrote following query that extracts data from request table:
requests
|where timestamp > ago(1d)
| where client_Type != "Browser"
| where (cloud_RoleName == 'X')
| where name != 'HTTP GET'
| where success == false
| summarize count() by bin (timestamp, 1d), name, resultCode
|sort by timestamp
Here is the output I got when using timestamp > ago(1d). This way, I was shown APIs that failed today and yesterday but there is no clear comparison between both dates.
Is there any way I can display count of APIs that failed yesterday on separate Column adjacent to the count_ Column that has count of corresponding APIs that failed today?
I know of project operator that adds extra column but I don't know how to incorporate and assign count of APIs that failed yesterday to project operator.
Kindly add to my knowledge of any relevant function or operator in KQL that can achieve this task.
The other way I tried was to define two variables, startDateTime and endDateTime to get the data of specific time as shown below.
Blank Output when I defined variables to define selected time frame:
let startDateTime = todatetime("2023-02-07 06:35:00.0");
let endDateTime = todatetime("2023-02-07 06:35:00.0");
requests
|where timestamp > startDateTime and timestamp < endDateTime
| where client_Type != "Browser"
| where (cloud_RoleName == 'web-memberappservice-weu-prod')
| where name != 'HTTP GET'
| where success == false
| summarize count() by bin (timestamp, 1d), name, resultCode
|sort by timestamp
I searched about KQL query to compare count of failed APIs for today with respect to count of APIs that failed yesterday and checked some results from Stack overflow which are not helping me in achieving desired result.
I tried these links but queries on these links do not reflect what I want to achieve:
Best way to show today Vs yesterday Vs week in KQL azure monitror
kql query to compare the hour which has minimum number of TriggersStarted from last week to today past hour TriggersStarted
What am I expecting?
I want a query that can display count of APIs that failed yesterday on separate Column adjacent to the count_ Column that has count of corresponding APIs that failed today.
I know of project operator that adds extra column but I don't know how to incorporate and assign count of APIs that failed yesterday to project operator.
Kindly identify any relevant function or operation that can help in this regard.
* The where clause was added for performance reasons.
// Sample data generation. Not part of the solution.
let requests = materialize(range i from 1 to 100000 step 1 | extend timestamp = ago(2d * rand()), name = tostring(dynamic(["PUT", "POST", "PATCH", "GET"])[toint(rand(4))]), resultCode = 400 + toint(rand(3)));
// Solution starts here.
let _period = 30m;
requests
| where timestamp between (ago(_period) .. _period)
or timestamp between (ago(_period + 1d) .. _period)
| summarize todayCount = countif(timestamp between (ago(_period) .. _period))
,YesterdayCount = countif(timestamp between (ago(_period + 1d) .. _period))
by name, resultCode
|sort by name asc, resultCode asc
name
resultCode
todayCount
YesterdayCount
GET
400
91
100
GET
401
98
98
GET
402
109
89
PATCH
400
93
77
PATCH
401
84
85
PATCH
402
74
82
POST
400
78
85
POST
401
96
77
POST
402
85
102
PUT
400
98
81
PUT
401
97
85
PUT
402
77
83
Fiddle
i have a Question about a Query in KQL.
I would like to use a Time at the KQL Query who only shows me the Results between 08:00 and 17:00 Time.
How can i build these at the KQL Query?
Im only find the DateTime Variable but i need only the Time?
Thanks a lot.
Regards,
Phil
The below is the example to show logs between specific time:
let start=datetime("10/26/2022 1:04:27.627 AM");
let end=datetime("10/26/2022 1:22:53.745 AM");
traces
| where timestamp > start and timestamp < end
If you only want timestamp then:
let start=datetime("10/26/2022 1:04:27.627 AM");
let end=datetime("10/26/2022 1:22:53.745 AM");
traces
| where timestamp > start and timestamp < end
| project timestamp
You can give your date and time in end and start in query.
Timestamp%1d will give us only the time part of the day (timespan).
// Data sample generation. Not part of the solution.
let t = materialize (range i from 1 to 20 step 1 | extend Timestamp = ago(7d * rand()));
// Solution starts here.
t
| where Timestamp%1d between (8h .. 17h)
| order by Timestamp%1d asc // Just for display
i
Timestamp
13
2022-10-19T08:26:45.2144968Z
1
2022-10-23T12:00:21.8528635Z
16
2022-10-19T12:50:27.4405648Z
19
2022-10-19T13:00:48.9000836Z
2
2022-10-24T13:19:30.956558Z
8
2022-10-25T13:51:25.726857Z
10
2022-10-22T14:12:09.8304847Z
7
2022-10-25T14:51:14.3011525Z
14
2022-10-20T15:21:04.5173436Z
11
2022-10-20T16:04:06.412613Z
12
2022-10-19T16:48:54.0581289Z
Fiddle
| take 2000000
| summarize Value = avg(Value) by bin(TimeStampOfValue, 1h)
I have an adx table with Value and a Timestamp and I run this query I get the avg Value every hour for example:
TimeStampOfValue
Value
2022-01-30T22:00:00
500
2022-01-30T23:00:00
499,99
I'd like it to return:
TimeStampOfValue
Value
2022-01-30T22:30:00
500
2022-01-30T23:30:00
499,99
How do I shift the 'by bin' by 30 minutes? so it runs hourly on the half hour mark? Is this even possible?
One solution is to use 'bin_at' with a specific time so it starts hourly from there, is this the only way?
in Azure workbooks with the below query I am able to get avg of 2 columns a as per time range selected but here least time we can select is 30 mins we have a requirement to show last 1 min status of the result for that I need another column and show last 1 mins status
let start = {TimeRange:start};
let grain = {TimeRange:grain};
workspace(name).site1_CL
| extend healty=iff(Status_s == 'Connected' , 100 , 0)
| summarize table1= avg(healty) by ClientName_s
|join
(workspace(name).site2_CL
| extend Availability=iff(StatusDescription_s == 'OK' , 100 , 0)
|summarize table2=avg(Availability) by ClientName_s
)
on ClientName_s
| extend HealthStatus=(table1+table2)/2
| project Client=ClientName_s,Environment=EnvName_s,HealthStatus
req another column and show current status instead aggregation of selected timerange this column should override selected timerange and show last 1 minute aggregation of 2 tables
Couldn´t you just set the start to use the value you need?
let start = now(-1m); //last minute
I have roughly the following setup:
Values:
MONTH | DURATION | VALUE |
5 | 3 | 120 |
6 | 1 | 100 |
Expected outcome for totals:
MONTH | TOTAL
5 | 120
6 | 220
7 | 120
What I would like to do, is to be able to sum in another table the total values for each month. The logic would be to SUM every value where the total table's month is equal or higher than that of the values, but lower than the value's month + duration.
Does that make any sense? Is that possible? I'm cracking my head and I can't seem to find a way to solve it.
Thank you very much.
The easiest solution is probably to make another column with the end month. And then use SUMIFS to check if month is >= starting month and <= ending month.
=SUMIFS(<Range of Values>,<Range of starting>,"<="& "Target month",<Range of ending>,">="& <Target month>)
DSUM is the best candidate for this, I believe. See Microsft's documentation and this site for help understanding function, and what it is doing. I have made very complex calculations possible in Excel by using the "database" methods (DSUM, DCOUNT, etc).