Azure Application Insights KQL - How to accumulate values? - azure-application-insights

I would like to accumulate values by timestamp in a ever growing manner.
The following query
ContainerLog
| extend logsize = string_size(LogEntry)
| summarize sum(logsize) by bin(TimeGenerated, 1m)
| render timechart
generates a graph that goes up and down:
I would like to add the previous value with the current value, this way generating an always growing graph symbolizing the total amount of requests up to that moment.

// Sample data generation. Not part of the solution.
let ContainerLog = materialize(range i from 1 to 15 step 1 | extend TimeGenerated = ago(7d*rand()), logsize = rand(1000));
// Solution starts here.
ContainerLog
| summarize sum(logsize) by bin(TimeGenerated, 1m)
| order by TimeGenerated asc
| extend accumulated_sum_logsize = row_cumsum(sum_logsize)
| render timechart
Fiddle
P.S.
I kept sum_logsize for learning purposes.
In your scenario it can be removed.

Related

Exclude certain days/time from query results? (Ex. Thursday's midnight-2am EST)

I am newer to KQL and I am trying to write a query against configuration changes made to files with an extension of ".config" and would like to remove results that are generated under the "TimeGenerated [UTC]" column. The results should exclude Thursday's from midnight- 2am EST. Understanding that TimeGenerated is in UTC, the query should be offsetting that to return EST.
Would someone be able to assist me in writing this? Not sure how to write it up as to have it return the results that exclude the specific time frame. Below is what I have so far:
ConfigurationChange
| where dayofweek(datetime_add('hour', -5, TimeGenerated)) != 4d and hourofday(datetime_add('hour', -5, TimeGenerated)) !in(0, 1) // <---
| where ConfigChangeType in ("Files")
| where FileSystemPath endswith ".config"
| sort by TimeGenerated
| render table
Replace 4d with 4, because dayofweek() returns the number of day (between 0 and 6).

Kusto query to exclude results from a certain time (Ex. Thursday from midnight-2am EST)

I am newer to KQL and I am trying to write a query against configuration changes made to files with an extension of ".config" and would like to remove results that are generated under the "TimeGenerated [UTC]" column. The results should exclude Thursday's from midnight- 2am EST. Would someone be able to assist me in writing this? Not sure how to write it up as to have it return the results that exclude the specific time frame. Below is what I have so far:
ConfigurationChange
| where ConfigChangeType in("Files")
| where FileSystemPath contains ".config"
| sort by TimeGenerated
| render table
Try adding the following filter, using dayofweek() and hourofday().
Note: The example below works in UTC. You can add the current offset of UTC -> EST to TimeGenerated as part of the filter
ConfigurationChange
| where dayofweek(TimeGenerated) != 6d and hourofday(TimeGenerated) !in(0, 1) // <---
| where ConfigChangeType in ("Files")
| where FileSystemPath contains ".config"
| sort by TimeGenerated
| render table

AppInsights > Logs > Render Bar Chart to start from 0

In my angular application I am tracking filters that users utilize on one of the pages. What I can later see in Logs, is the following (query for last 24 hours)
What I am interested in, is the count of filters groupped by its name. So I created the following query:
However the problem as you can see, is that my y-axis starts from 1 instead of 0. To users this looks like the last two filters don't have any values, where in reality they both have count of 1.
I have tried to use ymin=0 together with render function, however it did not work (chart still starts from 1). Then I have read I need to use make-series() function and so I tried:
customEvents
| where timestamp >= ago(24h)
| where customDimensions.pageName == 'product'
| make-series Count=count(name) default=0 on timestamp from datetime(2019-10-10) to datetime(2019-10-11) step 1d by name
| project name, Count
However the result is some weird matrix instead of a regular table:
I have just started with application insights thus any help in respect to this matter would be more than appreciated. Thank you
in Workbooks in application insights you could do almost this query (see below for a simplification?), then use the chart settings and set the axis min/max explicitly:
but why are you using make-series but then summarizing to just one series?
in this specific case is summarize simpler:
customEvents
| where timestamp between(datetime(2019-10-10) .. datetime(2019-10-11))
| where customDimensions.pageName == 'product'
| summarize Count=count(name) by name
| render barchart
in the logs blade (where you are), you could do this query, and I believe you can use
render barchart title="blah" ymin=0
(at some point workbooks will be able to "see" all the rendeer options like ymin/ymax/xmin/xmax/title/etc, but right now they're all stripped out at service layer)
A bit late to the party, but the correct syntax to pass in ymin and ymax when using a query is this:
| ...
| render barchart with (ymin=0, ymax=100)
See https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/renderoperator?pivots=azuremonitor

Local time in Azure Data Explorer / Kusto timechart

Timechart x-axis time is printed in UTC-2h, while it should be printed in UTC. Other chars, such us Columnchart, work fine (time is shown in UTC).
Is this an issue?
Is it possible to format time in charts? For instance, printing x-axis time in local time...
Timechart column in Azure Data Explorer is stored in UTC (Local time -2h in my location).
When printing a columnchart, time in X-axis is printed in UTC (local time -2h) -> OK
columnchart output
When printing a timechart, time in x-axis is printed in UTC-2h (local time-4)-> KO
timechartoutput
Azure Data Explorer query:
let min_t = toscalar (<tablename> | summarize min(Timestamp));
let max_t = toscalar (<tablename> | summarize max(Timestamp));
<tablename>
| make-series sum(TrxCount) on Timestamp in range(min_t, max_t, 30m )
| render columnchart
This is indeed a bug.
It happens specifically after make-series so doing something like
<tablename> | summarize sum(TrxCount) by bin(Timestamp, 30m) | render timechart
should work (although it won't fill empty data like make-series does.

React native firebase 'average' query?

I come from a php/mysql background, and json data and firebase queries are still pretty new to me. Now I am working in React Native and I have a collection of data, and one of the keys stores a integer. I want to get the average of all the integers. Where do I even start?
I have used Firebases snapshot.numChildren function before so I am getting a little more familiar in this json world, but any sort of help would be appreciated. Thanks!
So, you know that you can return all of the data and determine the average. I'm guessing this is for a large set of data where it would be ideal not to return the entire node every time you would like to retrieve and average.
It depends on what this data is and how it's being updated, but I think one option is to simply have a separate node that is updated every time the collection is added to or is changed.
Here is some really rough pseudo code. For example, if your database looks like this:
database
|
+--collection
| |
| +--item_one (probably a uid like -k2jduwi5j5j5)
| | |
| | +--number: 90
| |
| +--item_two
| | |
| | +--number: 70
|
+--collection_metadata
| |
| +--average: 80
| |
| +--number_of_items: 2
Then when a new item is added, you run a metadata calculation:
var numerator = average * number_of_items + newItem.number;
number_of_items++; <-- this is your new number of items
numerator / number_of_items; <-- this is your new average
Then when an item is updated, you run a metadata calculation:
var numerator = average * number_of_items - changedItem.oldNumber + changedItem.newNumber;
numerator / number_of_items; <-- this is your new average
Now when you want this data, you always have this data on hand.

Resources