The following example query works in the Azure Data Explorer UI but not with Kqlmagic in Jupyter Notebook.
%%kql
let min_t = toscalar(demo_make_series1 | summarize min(TimeStamp));
let max_t = toscalar(demo_make_series1 | summarize max(TimeStamp));
demo_make_series1
| make-series num=count() default=0 on TimeStamp in range(min_t, max_t, 1h) by OsVer
| render timechart
It just throws No valid xcolumn. Any idea whats the issue?
Note: The database demo_make_series1 is available on the help cluster from ADX.
This indeed looks like a bug in KqlMagic rendering. We shall check and update. Meanwhile you can use mv-expand before rendering. Regardless, in make-series I suggest you avoid using the deprecated range(...) syntax in favor of 'from ... to ... step ...'. Here is the updated query:
%%kql
let min_t = toscalar(demo_make_series1 | summarize min(TimeStamp));
let max_t = toscalar(demo_make_series1 | summarize max(TimeStamp));
demo_make_series1
| make-series num=count() default=0 on TimeStamp from min_t to max_t step 1h by OsVer
| mv-expand num to typeof(long), TimeStamp to typeof(datetime)
| render timechart
thanks,
Adi
Related
I want to have a table that stores only daily tables sizes.
But it won't work this way:
.set-or-replace async tables_daily_storage <|
(
.show cluster extents
| where MinCreatedOn >= startofday(now())
| project DatabaseName,TableName,OriginalSize,D=bin(MinCreatedOn,1d)
| summarize total_size=sum(OriginalSize) by DatabaseName, TableName
)
Because I used .show function which is a management function.
Is there anything to get around this problem?
Simply remove the brackets
doc
.set-or-replace async tables_daily_storage <|
.show cluster extents
| where MinCreatedOn >= startofday(now())
| project DatabaseName,TableName,OriginalSize,D=bin(MinCreatedOn,1d)
| summarize total_size=sum(OriginalSize) by DatabaseName, TableName
I have a table like below in Room, in a Android application, I use Raw Query to get data. Can it be sorted by second value in array sorting_field?
---------------------------------------------
| id | other_fields | sorting_field |
---------------------------------------------
| 1001 | … | ["24","0.02","2"] |
---------------------------------------------
Initially I did the sorting part in Repository with Transformations.switchMap, inside the function a MutableLiveData> and applied Collections.sort.
It worked like a charm:
Collections.sort(list, (o1, o2) -> Double.compare(Double.valueOf(o1.sorting_field().get(positionInList)), Double.valueOf(o2.sorting_field().get(positionInList))));
After Paging implementation, I took the sorting logic out, moved to queries builder and here I am.
I have 2 KQL queries and I want to combine them in order to display two rows as one result. Not just result of first query, then result of second query:
R_CL
| where isnotempty(SrcIP_s)
| project Message
| take 1;
R_CL
| where isempty(SrcIP_s)
| project Message
| take 1
See sample R_L below.I would like to see 2 rows as result, one with SrcIP_s not empty, and the second with SrcIP_s empty (in this case it will be always same one)
let R_CL = datatable ( SrcIP_s:string, Message:string)
["1.1.1.1" ,"one",
"" ,"two",
"2.2.2.2","three",
"3.3.3.3","four"];
R_CL
| project SrcIP_s, Message
A simple solution for this would be to use the union operator like this:
let query1 = R_CL
| where isnotempty(SrcIP_s)
| project Message
| take 1;
let query2 = R_CL
| where isempty(SrcIP_s)
| project Message
| take 1;
query1
| union query2;
I know this is an old request - but here's a sample query using views and a union for your single query:
Your two separate queries...
R_CL
| where isnotempty(SrcIP_s)
| project Message
| take 1;
R_CL
| where isempty(SrcIP_s)
| project Message
| take 1
would become:
let Query1 = view () {
R_CL
| where isnotempty(SrcIP_s)
| project Message
| take 1;
};
let Query2 = view () {
R_CL
| where isempty(SrcIP_s)
| project Message
| take 1
};
union withsource="TempTableName" Query1, Query2
Our exceptions have a custom field: customDimensions.ActivityId
exceptions | where isnotnull(customDimensions.ActivityId) | extend actid = tostring(customDimensions.ActivityId) | distinct actid
I'd like to get the most recent exception for each activity id.
Good answer below, I ended up going with:
exceptions
| extend actid = tostring(customDimensions.ActivityId)
| where isnotnull(actid)
| summarize arg_min(timestamp, *) by actid
| order by timestamp desc
Because I actually want the first message with an exception to occur during an activity.
According to this doc about arg_max() aggregation, this should be as easy as
exceptions
| where isnotnull(customDimensions.ActivityId)
| extend actid = tostring(customDimensions.ActivityId)
| summarize arg_max(timestamp, *) by actid
I use this query to display exceptions:
exceptions
| where application_Version == "xyz"
| summarize count_=count(itemCount), impactedUsers=dcount(user_Id) by problemId, type, method, outerMessage, innermostMessage
| order by impactedUsers
How to query what percent of users are impacted by specific exception?
I would check all users by this query:
customEvents
| where application_Version == "xyz"
| summarize dcount(user_Id)
You're almost there with what you have, you just need to connect the two:
use let + toscalar to define the results of a query as a number
reference that in your query (i used *1.0 to force it to be a float, otherwise you get 0, and used round to get 2 decimals, adjust that however you need)
making your query:
let totalUsers = toscalar(customEvents
| where application_Version == "xyz"
| summarize dcount(user_Id));
exceptions
| where application_Version == "xyz"
| summarize count_=count(itemCount),
impactedUsers=dcount(user_Id),
percent=round(dcount(user_Id)*1.0/totalUsers*100.0,2)
by problemId, type, method, outerMessage, innermostMessage
| order by impactedUsers