I have a table of analytics events for our app that include UserID and the version. The data is in Azure AppInsights and I need to use Kusto query.
An example of the data is
UserID
application_Version
07603a38-dfec-4bdb-941c-fd990d973fef
3.8.0
07603a38-dfec-4bdb-941c-fd990d973fef
3.8.0
07603a38-dfec-4bdb-941c-fd990d973fef
3.9.0
a17719f2-3739-4050-bbad-bc75e6b063df
3.9.0
e1e260fc-010d-457a-96f0-d126c410c79f
3.1.0
e1e260fc-010d-457a-96f0-d126c410c79f
3.8.0
e1e260fc-010d-457a-96f0-d126c410c79f
3.8.0
e1e260fc-010d-457a-96f0-d126c410c79f
3.8.0
9fcc5ef2-5c61-48f4-b0cc-2f4e69851f5e
3.9.0
I can group by UserId and show a count across app versions OR I can group by app version with a count across all users.
However what I want it to group by UserId and within that I want a count for each version.
The desired table output would be for the data above
UserID
application_Version
Count
07603a38-dfec-4bdb-941c-fd990d973fef
3.8.0
2
07603a38-dfec-4bdb-941c-fd990d973fef
3.9.0
1
a17719f2-3739-4050-bbad-bc75e6b063df
3.9.0
1
e1e260fc-010d-457a-96f0-d126c410c79f
3.1.0
1
e1e260fc-010d-457a-96f0-d126c410c79f
3.8.0
3
9fcc5ef2-5c61-48f4-b0cc-2f4e69851f5e
3.9.0
1
This query does counts of app versions across all users but I want it split by user and version. How do i summarize across both fields?
customEvents
| extend Properties = todynamic(tostring(customDimensions.Properties))
| extend UserID = Properties.UserID
| where application_Version !in~ ("4.0.2", "4.1.0", "4.0.1")
| summarize count(UserID) by application_Version
Thanks to #Peter Bons for pointing out the painfully obvious. I now have this working.
I've also removed the case insensitive syntax. The query is now
customEvents
| extend Properties = todynamic(tostring(customDimensions.Properties))
| extend UserID = Properties.UserID
| where application_Version !in ("4.0.2", "4.1.0", "4.0.1") and isnotnull(UserID) and timestamp > ago(60d)
| summarize count() by tostring(UserID), application_Version
Related
I am trying to find what's causing the higher RU usage on the Cosmos DB. I enabled the Log Analytics on the Doc DB and ran the below Kusto query to get the RU consumption by Collection Name.
AzureDiagnostics
| where TimeGenerated >= ago(24hr)
| where Category == "DataPlaneRequests"
| summarize ConsumedRUsPer15Minute = sum(todouble(requestCharge_s)) by collectionName_s, _ResourceId, bin(TimeGenerated, 15m)
| project TimeGenerated , ConsumedRUsPer15Minute , collectionName_s, _ResourceId
| render timechart
We have only one collection on the DocDb Account (prd-entities) which is represents Red line in the Chart. I am not able to figure out what the Blue line represents.
Is there a way to get more details about the empty collection name RU usage (i.e., Blue line)
I'm not sure but I think there's no empty collection costs RU actually.
Per my testing in my side, I found that when I execute your kusto query I can also get the 'empty collection', but when I watch the line details, I found all these rows are existing in my operation. What I mean here is that we shouldn't sum by collectionName_s especially you only have one collection in total, you may try to use requestResourceId_s instead.
When using requestResourceId_s, there're still some rows has no id, but they cost 0.
AzureDiagnostics
| where TimeGenerated >= ago(24hr)
| where Category == "DataPlaneRequests"
| summarize ConsumedRUsPer15Minute = sum(todouble(requestCharge_s)) by requestResourceId_s, bin(TimeGenerated, 15m)
| project TimeGenerated , ConsumedRUsPer15Minute , requestResourceId_s
| render timechart
Actually, you can check the requestCharge_s are coming from which operation, just watch details in Results, but not in Chart, and order by the collectionName_s, then you'll see those requests creating from the 'empty collection', judge if these requests existing in your collection.
What is project here in KUSTO query which is just conversion of SQL query?
I was just checking how does KUSTO query looks for any SQL query.
SQL Query:
SELECT operationName as Name, AVG(duration) as AvgD FROM dependencies
GROUP BY name
KUSTO:
dependencies
| summarize AvgD = avg(duration) by operationName
| project Name = operationName, AvgD
Does it just typo for alias change of OperationName?
There is no typo in the Kusto query you've included - it's a valid query, both syntactically and semantically.
That said, renaming the operationName column to Name can also be achieved as follows (which is semantically equivalent):
dependencies | summarize AvgD = avg(duration) by Name = operationName
I understand how to use requests and dependencies in a query.
How can I only list requests having more than a specific number of dependencies?
The comment is right, you should use join and count for your purpose. Note that the requests and dependencies are related by operation_Id.
Please use the code below which works for me (list requests that have more than 3 dependencies).
let myrequests = requests
| where timestamp > ago(1h)
| join (dependencies | where timestamp > ago(1h))
on operation_Id
| summarize mycount=count() by operation_Id
| where mycount > 3;
requests
| where timestamp >ago(1h)
| join myrequests
on operation_Id
Result as below:
I have an application insights query. And in this query I want to join/combine several columns into a single column for display how can this be accomplished.
I want to combine ip, city, state, country.
customEvents
| where timestamp >= ago(7d)
| where (itemType == 'customEvent')
| where name == "Signin"
| project timestamp, customDimensions.appusername, client_IP,client_City,client_StateOrProvince, client_CountryOrRegion
| order by timestamp desc
strcat is your friend, with whatever strings you want as separators (i just use spaces in the example):
| project timestamp, customDimensions.appusername,
strcat(client_IP," ",client_City," ",client_StateOrProvince," ", client_CountryOrRegion)
also, the | where (itemType == 'customEvent') in your query is unnecessary, as everything in the customEvents table is already a customEvent. you only need a filter like that on itemType if you join multiple tables somehow (like union requests, customEvents or a join somewhere in your query that references multiple tables)
Based on datapoint numbers I'm seeing, a client's website is averaging 28 dependencies per each request. That does seem very high to me so I'd like to do some analysis by rolling dependency data points up on page views and requests to the website. Unfortunately, looking at the fields available via Application Insights, there doesn't seem to be a natural field to join dependency to pageviews or requests. Any thoughts as to how I would go about doing so?
You can consider using OperationContext
This may get you running in the right direction
requests
| where timestamp > ago(1d)
| project timestamp, operation_Id
| join (dependencies
| where timestamp > ago(1d)
| summarize count(duration) by operation_Id, type
) on operation_Id
This is what I use to look at 22 hours of my data for a particular request talking to sql server
// Requests
requests
| where timestamp >= datetime(2017-08-24T08:59:59.999Z) and timestamp < datetime(2017-08-25T06:30:00.001Z)
| where (itemType == 'request' and ((timestamp >= datetime(2017-08-24T09:00:00.000Z) and timestamp <= datetime(2017-08-25T06:30:00.000Z)) and (client_Type == 'PC' and operation_Name == 'POST /CareDelivery/CareDelivery/ServiceUserDetailsForDeviceUserChunked/00000000-0000-0000-0000-000000000000')))
| join (dependencies
| where timestamp >= datetime(2017-08-24T08:59:59.999Z) and timestamp < datetime(2017-08-25T06:30:00.001Z)
| summarize count(duration) by operation_Id, type
) on operation_Id
| summarize count_dependencies=avg(count_duration) by type, bin(timestamp, 20m)
Post this into the query and the format will be ok, and you can read it - wish i could