Is there a way to pivot in Azure Application insight analytic queries? SQL has a Pivot Keyword, can similar be achieved in Application insight Analytics?
When I run the below query I get exceptions and count, but I would like to see a day on day trending
exceptions
| where timestamp >= ago(24h)
| extend Api = replace(#"/(\d+)",#"/xxxx", operation_Name)
| summarize count() by type
| sort by count_ desc
| limit 10
| project Exception = type, Count = count_
I am looking for something below day wise.
The easiest way to achieve something similar to what you need is by using:
exceptions
| where timestamp >= ago(7d)
| summarize count() by type, bin(timestamp, 1d)
This will give in the output one line per-type, per-day. Not exactly what you wanted but it will look good when rendered in graph (will give you a line for each type).
To get a table similar to what you put in your example would be more difficult, but this query should do the trick:
exceptions
| where timestamp >= startofday(ago(3d))
| extend Api = replace(#"/(\d+)",#"/xxxx", operation_Name)
| summarize count() by type, bin(timestamp, 1d)
| summarize
Today = sumif(count_, timestamp == startofday(now())),
Today_1 = sumif(count_, timestamp == startofday(ago(1d))),
Today_2 = sumif(count_, timestamp == startofday(ago(2d))),
Today_3 = sumif(count_, timestamp == startofday(ago(3d)))
by type
Related
I'm just starting with kusto, and my journey was abruptly stopped by the problem of getting the list of user_Ids with the timestamp of the very first customEvent sent by a user in the given time frame.
How should I modify my query to get the results (let's assume that the limiting timespan is 30days)
customEvents
| where timestamp >= ago(30d)
| summarize min(timestamp)
If you want to get just the min of the timestamp just add the "by" clause:
customEvents
| where timestamp >= ago(30d)
| summarize min(timestamp) by user_Id
If you want to get the full row, use arg_min() function, for example:
customEvents
| where timestamp >= ago(30d)
| summarize arg_min(timestamp, *) by user_Id
I'm trying to create a query in Application Insights that can show me the absolute and average number of messages in conversations over a particular time period. I'm using the LUIS trace example to get the context+LUIS information, which is where I'm pulling the conversationID from. I can get a table showing the number of messages per conversation, but I would also like to have a average number of messages for the data set. Either static average or rolling average (by pulling in timestamp) would be fine. I can get this value by doing a second summarize statement, but then I lose the granularity from the first. Here is my query.
requests
| where url endswith "messages"
| where timestamp > ago(30d)
| project timestamp, url, id
| parse kind = regex url with *"(?i)http://"botName".azurewebsites.net/api/messages"
| join kind= inner (
traces | extend id = operation_ParentId
) on id
| where message == "LUIS"
| extend convID = tostring(customDimensions.LUIS_botContext_conversation_id)
| order by timestamp desc nulls last
| project timestamp, botName, convID
| summarize messages=count() by conversation=convID
This gives me a table of conversation IDs with the message count for each conversation. I would also like to see the average number of messages per conversation. For example, if I have 4 conversations with 100 messages total, I want to see that the average is 25. I can get this result by doing a second summarize statement | summarize messages=sum(messages), avgMessages=avg(messages), but then of course I can no longer see the individual conversations. Is there any way to see both in the same table?
You can write 2 queries, one for "gives me a table of conversation IDs with the message count for each conversation", and another for " the average number of messages per conversation". And consider use Let statement for your query.
The tricky here is that, in both of the 2 queries, after the summarize statement, add this line of code at the end, like | extend myidentifier="aaa" .
Then you can join the 2 queries by using myidentifier.
I couldn't figure out how to do this without losing granularity from the first list (i.e. I couldn't figure out how to calculate average per period e.g. day), but the following query does at least get me the average across whatever timestamp filter I set, which ultimately gets me at the data I was looking for.
requests
| where url endswith "messages"
| where timestamp > ago(30d)
| project timestamp, url, id
| parse kind = regex url with *"(?i)http://"botName".azurewebsites.net/api/messages"
| join kind= inner (
traces | extend id = operation_ParentId
) on id
| where message == "LUIS"
| extend convID = tostring(customDimensions.LUIS_botContext_conversation_id)
| order by timestamp desc nulls last
| project timestamp, botName, convID
| summarize messages=count() by conversation=convID
| summarize conversations=count(), messageAverage=avg(messages)
I'm querying log entries in Azure Application Insights originating from AppCenter Diagnostics using Azure Log Analytics.
In some log entries i use custom propertys.
Now i'm trying to write a query to show values only with certain properties having a given value.
My original query looks like this and produces the expected result:
customEvents
| where (timestamp >= datetime(2019-02-20T09:04:00.000Z) and timestamp <= datetime(2019-02-21T09:04:00.000Z))
| top 101 by timestamp desc
| project timestamp, name, customDimensions.Properties
| where name == "Navigated to details view"
Hovering over the "productId" property shows a plus-sign which allows to add a filter criteria:
Choosing this options extends my query:
customEvents
| where (timestamp >= datetime(2019-02-20T09:04:00.000Z) and timestamp <= datetime(2019-02-21T09:04:00.000Z))
| top 101 by timestamp desc
| project timestamp, name, customDimensions.Properties
| where name == "Navigated to details view"
| where customDimensions_Properties.productId == 4711
So far, so good. If i now try to run this query i get the message "NO RESULTS FOUND":
Edit:
I also tried adding the where clause on the bottom to the first where clause
customEvents
| where (timestamp >= datetime(2019-02-20T09:04:00.000Z) and timestamp <= datetime(2019-02-21T09:04:00.000Z))
and name == "Navigated to details view"
and customDimensions.Properties.productId == 4711
| top 101 by timestamp desc
| project timestamp, name, customDimensions
Unfortunately no result either.
Edit 2:
I also tried this query to see if i can project the productId property in my query without including it in the where clause:
customEvents
| where (timestamp >= datetime(2019-02-20T09:04:00.000Z) and timestamp <= datetime(2019-02-21T09:04:00.000Z))
and name == "Navigated to details view"
| top 101 by timestamp desc
| project timestamp, name, customDimensions, customDimensions.Properties.productId
But this column is empty:
Is there anything i am missing? Is the tooling a problem and producing a wrong query?
Thank you for any help!
You would have to use various operators like mvexpand and extend to accomplish your requirement. Please find below sample query. Note that the below one is just a sample query which you may have to tweak a bit to make it work as expected and get the expected output (say if you are expecting output with all the columns of the customEvent at a particular timestamp which has particular productId, etc.)
customEvents
| where (timestamp >= datetime(2019-02-20T09:04:00.000Z) and timestamp <= datetime(2019-02-21T09:04:00.000Z))
| top 101 by timestamp desc
| project timestamp, name, customDimensions_Properties
| where name == "Navigated to details view"
| extend CDP_toString=parsejson(tostring(customDimensions_Properties))
| mvexpand CDP_toString
| project CDP_toString
| where CDP_toString.['productId'] == "4711";
Hope this helps!! Cheers!! :)
I'm trying to plot an area chart of one sum/count metric over time in Application Insights Analytics:
customEvents
| where timestamp > ago(7d)
| summarize count() by bin(timestamp, 1h)
| render areachart
What I see is that if there is no data in some buckets then chart doesn't drop to 0. Instead two dots are connected and there is perception that there were some data when in fact there were not.
Question - how to get zero-filled area charts (corresponding to red ink chart)?
There are several ways to achieve this.
make-series operator allows to set default value for the periods where no data is present for aggregation:
customEvents
| where timestamp > ago(10m)
| make-series count() default=0 on timestamp in range(ago(10m), now(), 1m)
| render areachart
This will produce zero-filled data array and | render will build the chart accordingly.
If | summarize is preferred, you can create zero-filled range yourself with range operator:
let defaultValue = 0;
range timestamp from floor(ago(10m),1m) to floor(now() + 10m,1m) step 1m
| join kind=leftouter
(
customEvents
| where timestamp > floor(ago(10m),1m) and timestamp < floor(now(),1m)
| summarize Value=count() by bin(timestamp, 1m)
) on timestamp
| project timestamp, value = iff(isnotempty(Value), Value, defaultValue)
| render areachart
Make sure to use join kind=leftouter to have all timestamps from the left side of the join present in output.
I'm trying to create a row in an output table that would calculate percentage of total items:
Something like this:
ITEM | COUNT | PERCENTAGE
item 1 | 4 | 80
item 2 | 1 | 20
I can easily get a table with rows of ITEM and COUNT, but I can't figure out how to get total (5 in this case) as a number so I can calculate percentage in column %.
someTable
| where name == "Some Name"
| summarize COUNT = count() by ITEM = tostring( customDimensions.["SomePar"])
| project ITEM, COUNT, PERCENTAGE = (C/?)*100
Any ideas? Thank you.
It's a bit messy to create a query like that.
I've done it bases on the customEvents table in AI. So take a look and see if you can adapt it to your specific situation.
You have to create a table that contains the total count of records, you then have to join this table. Since you can join only on a common column you need a column that has always the same value. I choose appName for that.
So the whole query looks like:
let totalEvents = customEvents
// | where name contains "Opened form"
| summarize count() by appName
| project appName, count_ ;
customEvents
// | where name contains "Opened form"
| join kind=leftouter totalEvents on appName
| summarize count() by name, count_
| project name, totalCount = count_ , itemCount = count_1, percentage = (todouble(count_1) * 100 / todouble(count_))
If you need a filter you have to apply it to both tables.
This outputs:
It is not even necessary to do a join or create a table containing your totals
Just calculate your total and save it in a let like so.
let totalEvents = toscalar(customEvents
| where timestamp > "someDate"
and name == "someEvent"
| summarize count());
then you can simply add a row to your next table, where you need the percentage calcualtion by doing:
| extend total = totalEvents
This will add a new column to your table filled with the total you calculated.
After that you can calculate the percentages as described in the other two answers.
| extend percentages = todouble(count_)*100/todouble(total)
where count_ is the column created by your summarize count() which you presumably do before adding the percentages.
Hope this also helps someone.
I think following is more intuitive. Just extend the set with a dummy property and do a join on that...
requests
| summarize count()
| extend a="b"
| join (
requests
| summarize count() by name
| extend a="b"
) on a
| project name, percentage = (todouble(count_1) * 100 / todouble(count_))
This might work too:
someTable
| summarize count() by item
| as T
| extend percent = 100.0*count_/toscalar(T | summarize sum(count_))
| sort by percent desc
| extend row_cumsum(percent)