I have telemetry in my code that creates two custom events(longNameHere_event_success/longNameHere_event_error). I have a small AI Analytics query that looks for my events, gets the count of each, and renders a pie chart for a percentage metric.
As my event names are rather long, I'd like to create a variable for each to make the pie chart more legible.
customEvents
| where name contains "event"
|summarize count() by name
| render piechart
Current result is a pie chart with percentages for "longNameHere_event_success" and "longNameHere_event_error"
Desired result would be renaming "longNameHere_event_success" to "Success" and "longNameHere_event_error" to "Failure".
You can rename the column value as follows (I used an inline function for readability, but you can replace the function call with the case statement). Is this what you were looking for?
let rename = (original:string)
{
case(original == "longNameHere_event_success", "success",
original == "longNameHere_event_error", "error",
"unknown")
};
let customEvents = datatable(name:string)
[
"longNameHere_event_success",
"longNameHere_event_success",
"longNameHere_event_error"
];
customEvents
| where name contains "event"
| summarize count() by name
| project name = rename(name), count_
| render piechart
Related
We are using Azure application Insights for error logging. I am new to KQL and trying to fetch custom properties from inbuilt "customDimensions" column in the following format,
Value as is from "customDimensions" column
exceptions
| project customDimensions
{
"File Name":"Sample File 1",
"Correlation ID":"e33a8d45-1234-1234-1223-54a6fec30356",
"Error List":"[
{\"Function Name\":\"Sample Function 1\",\"Code\":\"12345\"},
{\"Function Name\":\"Sample-Function-2\",\"Code\":\"12343\"}]"
}
Expected Output
File Name
Correlation ID
Function Name
Code
Sample File 1
e33a8d45-1234-1234-1223-54a6fec30356
Sample Function 1
12345
Sample File 1
e33a8d45-1234-1234-1223-54a6fec30356
Sample-Function-2
12343
How can I achieve the above output using KQL?
Thank You.
This might seem a little bit tricky, but bear with me :-)
Every sub-element extracted from a dynamic element, is dynamic.
parse_json() / todynamic() when given a dynamic argument, returns it, As Is.
So first, we use tostring() and only then we use todynamic() so the string would be parsed as json, to dynamic type.
datatable(ErrorDetails:dynamic)
[
dynamic({
"File Name":"Sample File 1",
"Correlation ID":"e33a8d45-0566-4bf2-94f8-54a6fec29bff",
"Error List":"[{\"Function Name\":\"Sample Function 1\",\"Code\":\"12345\"},{\"Function Name\":\"Sample-Function-2\",\"Code\":\"12343\"}]"
})
]
| mv-expand EL = todynamic(tostring(ErrorDetails["Error List"]))
| project ["File Name"] = ErrorDetails["File Name"], ["Correlation ID"] = ErrorDetails["Correlation ID"], ["Function Name"] = EL["Function Name"], ["Code"] = EL["Code"]
File Name
Correlation ID
Function Name
Code
Sample File 1
e33a8d45-0566-4bf2-94f8-54a6fec29bff
Sample Function 1
12345
Sample File 1
e33a8d45-0566-4bf2-94f8-54a6fec29bff
Sample-Function-2
12343
Fiddle
I'd like to render a cumulative histogram of the duration of various workflows.
This is the query I use to compute the duration of various workflows, and the timeElapsedInMs result can be used to do things like compute percentiles (as shown). The durations span a fairly sizable range, from under a second to several minutes. What I would like to do is render a cumulative histogram of the data. My best guess at this point is that the accumulate property of one of the render types might work, but I can't seem to wrap my head around how to do that.
let start = fluentbit_CL
| where log_s has_cs "<starting event>"
| project trackingId = trackingId_g, timestampStart= _timestamp_t;
let finish = fluentbit_CL
| where log_s contains "<ending event>"
| project trackingId = trackingId_g, timestampFinish = _timestamp_t;
start
| join finish on trackingId
| extend timeElapsedInMs = datetime_diff('millisecond', todatetime(timestampFinish ), todatetime(timestampStart))
| summarize min=min(timeElapsedInMs), avg=avg(timeElapsedInMs), percentiles_array(timeElapsedInMs, 50, 95), max=max(timeElapsedInMs)
I'd also be happy with another sensible way to render the data to get a look at the percentiles, but my current best approaches don't get a very clear impression of the data.
There is no need to write one query for starting event and one for ending event and then join them. This can be done with a single query, using summarize.
Histogram can be easily created using bin (doc)
Accumulated histogram can be easily rendered using with (accumulate=True) (doc)
// This part of the code is just for data sample generation and is not part of the solution
let start = materialize (range trackingId_g from 1 to 100 step 1 | extend _timestamp_t = ago(24h * rand()), log_s = "<starting event>");
let finish = materialize (start | extend _timestamp_t = _timestamp_t + 5m * rand(), log_s = "<ending event>");
let fluentbit_CL = (union start, finish);
// The solution starts from here
fluentbit_CL
| summarize duration = anyif(_timestamp_t, log_s has_cs "<ending event>") - anyif(_timestamp_t, log_s has_cs "<starting event>")
by trackingId_g
| summarize count() by bin(duration, 10s)
| order by duration asc
| render timechart with (accumulate=True)
Fiddle
I want to be able to toggle a filter on my query via a parameter in dashboard. How can I turn the "where" operator off?
E.g. the parameter in the dashboard is "_toggle"
let _filter = dynamic(["A", "B"]);
Table
| where id in (_filter) // execute this line only if _toggle == true
| project id
I already tried creating a second list containing all the ids and toggle between the small an the complete list via iff() but this is too resource intensive.
you could try something like this:
let _filter = dynamic(["A", "B"]);
Table
| where _toggle == false or id in (_filter)
| project id
I am trying to create different variables for the 'costcenter' tag. Each tag key "costcenter" has a respective value of "AB12" for example. I want to create a new variable in kusto to show that for every costcenter with the value of "AB12" I want to have this labeled as "HR Department".
I am unfamiliar with the syntax but need to get the value from costcenter that equals "AB12" and then store that as "Hr Department" so when I create a chart it shows HR department instead of "AB12"
resources
| extend cost = tostring(tags['costcenter'])
you can try using the case() function, or a mapping from actual value to desired value:
resources
| extend costcenter = tostring(tags['costcenter'])
| extend costcenter = case(costcenter == "AB12", "HR Department", costcenter)
| ...
let mapping = dynamic({"AB12":"HR Department", "AB23":"something else"});
resources
| extend costcenter = mapping[tostring(tags['costcenter'])]
| ...
In AfterScenario method, I want to get the rows from table "Examples" in Scenario Outline, to get the values in it, and search that specific values in the database
I know that this can be achieved by using Context.Scenario.Current...
Context.Scenario.Current[key]=value;
...but for some reason I'd like to be able to get it in a simpler way
like this:
ScenarioContext.Current.Examples();
----------- SCENARIO --------------------------------
Scenario Outline: Create a Matter
Given I create matter "< matterName >"
Examples:
| matterName |
| TAXABLE |
----------AFTER SCENARIO -----------------------------------
[AfterScenario()]
public void After()
{
string table = ScenarioContext.Current.Examples();
}
So if you look at the code for ScenarioContext you can see it inherits from SpecflowContext which is itself a Dictionary<string, object>. This means that you can simply use Values to get the collection of values, but I have no idea if they are Examples or not.
The best solution I came up with was to infer the examples by keeping my own static singleton object, then counting how many times the same scenario ran.
MyContext.Current.Counts[ScenarioContext.Current.ScenarioInfo.Title]++;
Of course, this doesn't work very well if you don't run all the tests at the same time or run them in random order. Having a table with the examples themselves would be more ideal, but if you combine my technique along with using ScenarioStepContext you could extract the parameters of the Examples table out of the rendered step definition text itself.
Feature
Scenario Outline: The system shall do something!
Given some input <input>
When something happens
Then something should have happened
Examples:
| input |
| 1 |
| 2 |
| 3 |
SpecFlow Hook
[BeforeStep]
public void BeforeStep()
{
var text = ScenarioStepContext.Current.StepInfo.Text;
var stepType = ScenarioStepContext.Current.StepInfo.StepDefinitionType;
if (text.StartsWith("some input ") && stepType == StepDefinitionType.Given)
{
var input = text.Split(' ').Last();
}
}