I am running the following query and it is returning me multiple instances of the service eg firefox and firefox#1 firefox#2.
When I display a chart I get multiple lines rather than a single Firefox line with the average of all 3 instances into one.
Perf
| where InstanceName
has "firefox"
and CounterValue > 0
| summarize ProcessorUsage = avg(CounterValue)
by bin(TimeGenerated,
5m), InstanceName
So rather than return firefox#1 and firefox#2 is it possible to group the average of all 3.
I am looking to be able to see CPU usage on each process on VM rather than seeing multi instances of the same application.
Update 0809: For add another instance like chrome
Perf
| where (InstanceName has "firefox" and CounterValue >0) or (InstanceName has "chrome" and CounterValue >0)
| extend new_InstanceName = iif(InstanceName has "firefox", "firefoxavg","chromeavg" )
| summarize ProcessorUsage = avg(CounterValue) by bin(TimeGenerated, 5m), new_InstanceName
You can add a new column(using extend operator) for the records which contains "firefox", then in the summary sentence, use the new column.
Code like below:
Perf
| where InstanceName has "firefox" and CounterValue > 0
| extend new_InstanceName ="firefoxavg"
| summarize ProcessorUsage = avg(CounterValue) by bin(TimeGenerated, 5m), new_InstanceName
Related
I need to run a very simple query
requests
| where cloud_RoleName == "blabla"
| summarize Count=count() by url
| order by Count desc
only thing i need to get the data just from the past 5 minutes
if i try this :
requests | where timestamp < ago(5m)
| where cloud_RoleName == "blabla"
| summarize Count=count() by url
| order by Count desc
or this
requests
| where cloud_RoleName == "blabla" and timestamp < ago(5m)
| summarize Count=count() by url
| order by Count desc
but all of them are returning answers with data older than 5 minutes.
ive read the doc and i see no other way of writing this query
can anyone assist?
Make sure to check if the timestamp is greater than the result of ago().
It returns the timestamp from e.g. 5 minutes ago, so if you want the data that is within last 5 minutes, you want the ones with a timestamp higher than that.
So the query should be:
requests
| where timestamp > ago(5m)
| where cloud_RoleName == "blabla"
| summarize Count=count() by url
| order by Count desc
To start, I am new to KQL. I am trying to write a query that provides me with an overall network utilization of my VM's.
Below is what I have currently:
Perf
| where ObjectName == "Network Interface"
| where Computer startswith "T1"
| where CounterPath contains "Bytes Received"or
CounterPath contains "Current Bandwidth"
| project Computer, ObjectName, CounterName, CounterValue, CounterPath
| sort by Computer
| summarize avg(CounterValue) by Computer, CounterName
and it returns the two rows of data for each computer (one row for Bytes Received and one row for Current Bandwidth)
What I need to accomplish is combine the two rows of data for each computer with the equation ((Total Bytes\Sec * 8)/current bandwidth) * 100 - and this should produce a single data point for each computer.
Can someone help me accomplish this?
you could try using the avgif() aggregation function. for example:
Perf
| where ObjectName == "Network Interface"
| where Computer startswith "T1"
| where CounterPath has "Bytes Received" or CounterPath has "Current Bandwidth"
| summarize avg_BytesReceived = avgif(CounterValue, CounterPath has "Bytes Received"),
avg_CurrentBandwidth = avgif(CounterValue, CounterPath has "Current Bandwidth")
by Computer
| project Computer, Result = 100.0 * avg_BytesReceived * 8 / avg_CurrentBandwidth
I have a column full of Computers in Log Analytics. An example is, "window432, linus909, windows322, linux432". I am filtering my disk utilization but I also want to filter by the specific word "window" or "lin". Is that possible? I am using Kusto to query so here's an example of my thought process:
Perf
| where Name == "Utilization Percentage"
and "win" in Computer
Something like this. Is that possible?
Thank you.
Based on given information in the question and based on what I understand, the requirement is to filter based on Computer names starting with either "window" or "lin".
If that is the case then you can accomplish the requirement with startswith string operator.
Query would look something like:
Perf
| where CounterName == #"% Processor Time" and InstanceName == "_Total"
| where Computer startswith "window" or Computer startswith "lin"
or
InsightsMetrics
| where Name == "UtilizationPercentage"
| where Computer startswith "window" or Computer startswith "lin"
Similarly, based on the requirement, you may leverage other string operators like "in", "has", "endswith", etc. string operators or any other operators or functions as appropriate. For more information w.r.t it, please refer Kusto Query Language (KQL) documents.
If i understand the description correctly, this could work.
It:
splits the original comma separated string using split()
expands those using mv-apply
filters out values that don't contain win
aggregates the remaining values into a new (filtered) comma separated string
datatable(Computers:string, id:int)
[
"window432, linus909, windows322, linux432", 1,
"window451, linux459, windows444, linux234", 2,
"android222, ios222, linux333" , 3
]
| mv-apply Computer = split(Computers, ", ") on (
where Computer contains "win"
| summarize Computers = strcat_array(make_list(Computer), ", ")
)
| where isnotempty(Computers)
input:
| Computers | id |
|-------------------------------------------|----|
| window432, linus909, windows322, linux432 | 1 |
| window451, linux459, windows444, linux234 | 2 |
| android222, ios222, linux333 | 3 |
output:
| id | Computers |
|----|-----------------------|
| 1 | window432, windows322 |
| 2 | window451, windows444 |
I am trying to monitor Azure ASR VM Disk churn & throughput processing.
I can get the last hours worth of VM Churn & Upload rate with the following query:
Perf
| where ObjectName == "ASRAnalytics"
| where InstanceName contains "VMName"
| where TimeGenerated >= ago(1h)
| project TimeGenerated, CounterName, Churn_MBps = todouble(CounterValue)/5242880
| render timechart
This will only get me either a line chart showing what the VM upload activity looked like, or a table of values with columns TimeGenerated, Countername, Churn_MBps
How can I aggregate these values into a single value per counter name (SourceVmThrpRate,SourceVmCurnRate) that will show me the total aggregate Churn or Thrp for the total hour?
Kusto Query has aggregated functions; like count(), avg(), max(), etc - you can read more about Aggregated Functions.
I hope below updated query helps; I have added summarize but I have not validated result as I will have different data.
| summarize avg(Churn_MBps) by bin(TimeGenerated, 1h), CounterName
Perf
| where ObjectName == "ASRAnalytics"
| where InstanceName contains "VMName"
| where TimeGenerated >= ago(1h)
| project TimeGenerated, CounterName, Churn_MBps = todouble(CounterValue) / 5242880
| summarize avg(Churn_MBps) by bin(TimeGenerated, 1h), CounterName
| render timechart
In the Azure new log analytics query platform you can query for performance counters and summarize them to finally create a nice graph.
Following the multiple dimensions documentation example it says
Multiple expressions in the by clause creates multiple rows, one for
each combination of values.
I want to query their sample database for networks bytes Send and Received per each computer. Starting with this query it should be something like
Perf
| where TimeGenerated > ago(1d)
| where (CounterName == "Bytes Received/sec" or CounterName == "Bytes Sent/sec")
| summarize avg(CounterValue) by bin(TimeGenerated, 1h), Computer, CounterName
| extend Threshold = 20
| render timechart
The problem is that Send and Received bytes gets grouped in the graph at computer level.
How can multiple dimensions be represented as stated in the documentation so that I have Computer X Bytes Send and Computer X Bytes Received instead of them grouped together witch doesn't make any sense?
Not to mention that in the previous version this was working as expected.
I though that if multiple dimensions are not really accepted a string concatenation would do the trick. A bit hackish in my opinion but it did.
Perf
| where (CounterName == "Bytes Received/sec" or CounterName == "Bytes Sent/sec") and InstanceName matches regex "^Microsoft Hyper-V Network Adapter.*$"
| summarize avg(CounterValue) by strcat(Computer, " ", CounterName), bin(TimeGenerated, 10s)
| render timechart
Another option is this
let RuntimeID = CosmosThroughput_CL
| where MetricName_s == "ProvisionedThroughput" and TimeGenerated between (ago(2h) .. ago(1h))
| order by TimeGenerated desc
| top 1 by TimeGenerated
| distinct RuntimeID_g;
CosmosThroughput_CL
| where MetricName_s == "ProvisionedThroughput" and RuntimeID_g in (RuntimeID)
| project Resource = toupper(Resource), Value = Throughput_d, Container = Container_s, Database = Database_s, MetricName = "Provisioned"
| union
(
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DOCUMENTDB" and Category == "PartitionKeyRUConsumption"
| where TimeGenerated between (ago(1d) .. ago(1d-1h))
| summarize Value = sum(todouble(requestCharge_s)) by Resource, databaseName_s, collectionName_s
| project Resource, Container = collectionName_s, Database = databaseName_s, Value, MetricName = "HourlyUsage"
)
| union
(
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DOCUMENTDB" and Category == "PartitionKeyRUConsumption"
| where TimeGenerated between (ago(1d) .. ago(1d-1h))
| summarize Value = sum(todouble(requestCharge_s)/3600) by Resource, databaseName_s, collectionName_s
| project Resource, Container = collectionName_s, Database = databaseName_s, Value, MetricName = "RUs"
)
| project Resource, Database, Container, Value, MetricName
The important part is to project the same column names. Value holds the different values from each table. Second union helps me project another value from the same table.