I'm querying log entries in Azure Application Insights originating from AppCenter Diagnostics using Azure Log Analytics.
In some log entries i use custom propertys.
Now i'm trying to write a query to show values only with certain properties having a given value.
My original query looks like this and produces the expected result:
customEvents
| where (timestamp >= datetime(2019-02-20T09:04:00.000Z) and timestamp <= datetime(2019-02-21T09:04:00.000Z))
| top 101 by timestamp desc
| project timestamp, name, customDimensions.Properties
| where name == "Navigated to details view"
Hovering over the "productId" property shows a plus-sign which allows to add a filter criteria:
Choosing this options extends my query:
customEvents
| where (timestamp >= datetime(2019-02-20T09:04:00.000Z) and timestamp <= datetime(2019-02-21T09:04:00.000Z))
| top 101 by timestamp desc
| project timestamp, name, customDimensions.Properties
| where name == "Navigated to details view"
| where customDimensions_Properties.productId == 4711
So far, so good. If i now try to run this query i get the message "NO RESULTS FOUND":
Edit:
I also tried adding the where clause on the bottom to the first where clause
customEvents
| where (timestamp >= datetime(2019-02-20T09:04:00.000Z) and timestamp <= datetime(2019-02-21T09:04:00.000Z))
and name == "Navigated to details view"
and customDimensions.Properties.productId == 4711
| top 101 by timestamp desc
| project timestamp, name, customDimensions
Unfortunately no result either.
Edit 2:
I also tried this query to see if i can project the productId property in my query without including it in the where clause:
customEvents
| where (timestamp >= datetime(2019-02-20T09:04:00.000Z) and timestamp <= datetime(2019-02-21T09:04:00.000Z))
and name == "Navigated to details view"
| top 101 by timestamp desc
| project timestamp, name, customDimensions, customDimensions.Properties.productId
But this column is empty:
Is there anything i am missing? Is the tooling a problem and producing a wrong query?
Thank you for any help!
You would have to use various operators like mvexpand and extend to accomplish your requirement. Please find below sample query. Note that the below one is just a sample query which you may have to tweak a bit to make it work as expected and get the expected output (say if you are expecting output with all the columns of the customEvent at a particular timestamp which has particular productId, etc.)
customEvents
| where (timestamp >= datetime(2019-02-20T09:04:00.000Z) and timestamp <= datetime(2019-02-21T09:04:00.000Z))
| top 101 by timestamp desc
| project timestamp, name, customDimensions_Properties
| where name == "Navigated to details view"
| extend CDP_toString=parsejson(tostring(customDimensions_Properties))
| mvexpand CDP_toString
| project CDP_toString
| where CDP_toString.['productId'] == "4711";
Hope this helps!! Cheers!! :)
Related
I'm just starting with kusto, and my journey was abruptly stopped by the problem of getting the list of user_Ids with the timestamp of the very first customEvent sent by a user in the given time frame.
How should I modify my query to get the results (let's assume that the limiting timespan is 30days)
customEvents
| where timestamp >= ago(30d)
| summarize min(timestamp)
If you want to get just the min of the timestamp just add the "by" clause:
customEvents
| where timestamp >= ago(30d)
| summarize min(timestamp) by user_Id
If you want to get the full row, use arg_min() function, for example:
customEvents
| where timestamp >= ago(30d)
| summarize arg_min(timestamp, *) by user_Id
I'm trying to create a query in Application Insights that can show me the absolute and average number of messages in conversations over a particular time period. I'm using the LUIS trace example to get the context+LUIS information, which is where I'm pulling the conversationID from. I can get a table showing the number of messages per conversation, but I would also like to have a average number of messages for the data set. Either static average or rolling average (by pulling in timestamp) would be fine. I can get this value by doing a second summarize statement, but then I lose the granularity from the first. Here is my query.
requests
| where url endswith "messages"
| where timestamp > ago(30d)
| project timestamp, url, id
| parse kind = regex url with *"(?i)http://"botName".azurewebsites.net/api/messages"
| join kind= inner (
traces | extend id = operation_ParentId
) on id
| where message == "LUIS"
| extend convID = tostring(customDimensions.LUIS_botContext_conversation_id)
| order by timestamp desc nulls last
| project timestamp, botName, convID
| summarize messages=count() by conversation=convID
This gives me a table of conversation IDs with the message count for each conversation. I would also like to see the average number of messages per conversation. For example, if I have 4 conversations with 100 messages total, I want to see that the average is 25. I can get this result by doing a second summarize statement | summarize messages=sum(messages), avgMessages=avg(messages), but then of course I can no longer see the individual conversations. Is there any way to see both in the same table?
You can write 2 queries, one for "gives me a table of conversation IDs with the message count for each conversation", and another for " the average number of messages per conversation". And consider use Let statement for your query.
The tricky here is that, in both of the 2 queries, after the summarize statement, add this line of code at the end, like | extend myidentifier="aaa" .
Then you can join the 2 queries by using myidentifier.
I couldn't figure out how to do this without losing granularity from the first list (i.e. I couldn't figure out how to calculate average per period e.g. day), but the following query does at least get me the average across whatever timestamp filter I set, which ultimately gets me at the data I was looking for.
requests
| where url endswith "messages"
| where timestamp > ago(30d)
| project timestamp, url, id
| parse kind = regex url with *"(?i)http://"botName".azurewebsites.net/api/messages"
| join kind= inner (
traces | extend id = operation_ParentId
) on id
| where message == "LUIS"
| extend convID = tostring(customDimensions.LUIS_botContext_conversation_id)
| order by timestamp desc nulls last
| project timestamp, botName, convID
| summarize messages=count() by conversation=convID
| summarize conversations=count(), messageAverage=avg(messages)
I want to show amount of total requests, and the total of the failing requests that are being tracked by ApplicationInsights.
When there are no failing requests in the table, the query will return an empty object (via API, in the portal it will say: ' NO RESULTS FOUND 0 records matched'.)
I've tried setting up a variable which is 0 and give it a new value in the join.
Also I tried to check if the join value is null or empty and gave it a 0 value when so.
But none did help.
requests
| where timestamp > ago(1h)
| summarize totalCount=sum(itemCount) by timestamp
| join (
requests
| where success == false and timestamp > ago(1h)
| summarize totalFailCount =sum(itemCount) by timestamp
) on timestamp
| project timestamp, totalCount, totalFailCount
What I want as a result that if there are no failing requests, totalCount should display 0
It seems that you do not need a join in this case, if you aggregate by timestamp you will get the buckets based on the actual values in this column, most people usually like to count by time "buckets" for example one minute, here is an example for that:
requests
| where timestamp > ago(1h)
| summarize totalCount=count(), totalFailCount = countif(success == false) by bin(timestamp, 1m)
Is there a way to pivot in Azure Application insight analytic queries? SQL has a Pivot Keyword, can similar be achieved in Application insight Analytics?
When I run the below query I get exceptions and count, but I would like to see a day on day trending
exceptions
| where timestamp >= ago(24h)
| extend Api = replace(#"/(\d+)",#"/xxxx", operation_Name)
| summarize count() by type
| sort by count_ desc
| limit 10
| project Exception = type, Count = count_
I am looking for something below day wise.
The easiest way to achieve something similar to what you need is by using:
exceptions
| where timestamp >= ago(7d)
| summarize count() by type, bin(timestamp, 1d)
This will give in the output one line per-type, per-day. Not exactly what you wanted but it will look good when rendered in graph (will give you a line for each type).
To get a table similar to what you put in your example would be more difficult, but this query should do the trick:
exceptions
| where timestamp >= startofday(ago(3d))
| extend Api = replace(#"/(\d+)",#"/xxxx", operation_Name)
| summarize count() by type, bin(timestamp, 1d)
| summarize
Today = sumif(count_, timestamp == startofday(now())),
Today_1 = sumif(count_, timestamp == startofday(ago(1d))),
Today_2 = sumif(count_, timestamp == startofday(ago(2d))),
Today_3 = sumif(count_, timestamp == startofday(ago(3d)))
by type
I have some data in Application Insights, and I am using the Analytics view to write queries against it.
I can see that I have a trace, the CustomDimensions of which contain a property called ActivityID, which is a guid:
What I want to do is now run another query to return all traces that contain that ActivityId.
Using this as guide, I currently have the following:
union (traces
| extend ActivityId = tostring(customDimensions.ActivityId)
| project ActivityId
| where ActivityId == "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx")
| top 101 by timestamp desc
However, this is returning the following syntax error message:
Failed to resolve 'top' key column
What am I doing wrong? I would also appreciate and an explanation of the error message if possible.
You cannot do a top on projection unless you actually include the timestamp column in the projection.
I did :
union (traces)
| top 101 by timestamp desc
| project session_Id
so this should work
union (traces
| extend ActivityId = tostring(customDimensions.ActivityId)
| where ActivityId == "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx")
| top 101 by timestamp desc
| project ActivityId
and then it works. What is your complete query (I guess there is more since you are using union?)
You must project the 'timestamp' column if you want to use it inside the top.
traces
| extend ActivityId = tostring(customDimensions.ActivityId)
| project ActivityId, timestamp
| where ActivityId == "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
| top 101 by timestamp desc
*Note that you also do not need to use union