I am writing a Kusto query to display ths status of build results in time chart. That is the first column will display the time in 5 mins difference and the remaining columns will have the count for the respective Build status like (sucess, failed, in progress)
Once I do all the filters, I am using the below query
´´´| summarize count= count() by Status ,bin(timestamp(), 1h)
| render timechart´´´
It says unknown function and I am not sure how to display a time chart. So for each status how do I get the count for every 5 mins. Thanks for any inputs.
It seems that the issue is that you are using the function notation when you are telling the "bin" function which column to use, instead of simply provide the name of the column. In other words, remove the parenthesis after the column name timestamp as follows:
T
| summarize count= count() by Status ,bin(timestamp, 1h) | render timechart
Related
I'm using bag_unpack to explode the customDimensions column in the AppInsights traces table and want to "shape" the resultant table. All is fine if there are rows to work with. If there are not, subsequent operations that reference the exploded columns fail. For example (I boiled it down to an isolated repro),
datatable (Date:datetime, JSON:string )
[datetime(1910-06-11), '{"key": "1"}', datetime(1930-01-01), '{"key": "2"}',
datetime(1953-01-01), '{"key": "3"}', datetime(1997-06-25), '{"key": "4"}']
| where Date > datetime(2000-01-01)
| project parsed = parse_json(JSON)
| evaluate bag_unpack(parsed)
| project-rename value = key
// lots more data shaping here
Since the where filters out all rows, there is nothing to unpack. OK, that's fine but the data shaping ops (e.g., project-rename) fail saying
project-rename: Failed to resolve column reference 'key'
If you change the date in the where to be say 1900-01-01 then everything works as expected.
Note as well that if you remove the bag_unpack the project-rename some other column, it works fine with no rows. For example,
datatable (Date:datetime, JSON:string )
[datetime(1910-06-11), '{"key": "1"}', datetime(1930-01-01), '{"key": "2"}',
datetime(1953-01-01), '{"key": "3"}', datetime(1997-06-25), '{"key": "4"}']
| where Date > datetime(2000-01-01)
| project-rename value = JSON
I can see how the unpack creates the columns so if it didn't run the column doesn't get created but at the same time, why run the project at all if there are no rows?
In theory I could move the where down but I'm not sure if the query planning will recognize that and only do the subsequent project/data shaping on the reduced set of rows (filtered by the where). I've got a lot of rows and typically only need to operate on a few of them.
Pointers on how to work with bag_unpack and empty tables? Or columns that may or may not be there?
You could use the column_ifexists() function: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/columnifexists
For example:
... | project value = column_ifexists("key", "")
I'm trying write a simple Kusto query to find the max value of x for each y. To be more specific, I'm querying the Azure Data Explorer sample table "Covid", trying to get the max number of deaths by country. I tried using a few things like this
Covid19
| summarize MostDeaths = max(Deaths) by Country
| project Country, MostDeaths
But this is not working of course. I also haven't found anything like this (simple as it is) in the documentation with its examples.
Edit: Expected results:
Actual results: "A recognition error occurred.
Token: |
Line: 3, Position: 0"
Your query, as you've written it in your question - is valid (syntactically and semantically).
You can click this deep-link to run it and see for yourself: https://dataexplorer.azure.com/clusters/help/databases/Samples?query=H4sIAAAAAAAAA3POL8tMMbTkqlEoLs3NTSzKrEpV8M0vLnFJTSzJKFawVchNrNCAcDQVkioVnPNL80qKKoHqC4rys1KTS2AiOkjaACLGJoNVAAAA
Given the error message you're seeing, I can guess that you're actually running a different query.
(perhaps:
do you have a duplicate pipe (|) ?
or - are you missing a linebreak between multiple queries in the same query editor tab?
)
I have a Google spreadsheet where I'm finding the amount of time between two datetime values. The calculation seems to be working properly, because when I output the value as just a number, it looks correct. However, when I try to format it as d:hh:mm, for any values where the two dates are on the same day, it is showing me 30 days instead of 0. Some sample data:
Datetime | Diff as # | Diff as d:hh:mm
8/13/2016 20:24 | |
8/27/2016 00:09 | 13.15625 | 13:03:45 (this line is correct)
8/27/2016 04:43 | 0.190278 | 30:04:34 (this is incorrect, should be 0 days, not 30)
When I try the same thing in Excel, it works as expected. (instead of 30:04:34, I get 00:04:34) So I think it's some difference between the two that I'm not familiar with. Can someone assist?
At present, Google sheets don't have the feature to show the duration in days (via custom format), you can only have it in hours and/or minutes and/or seconds..
Screenshot:
Still there is a workaround to get the desired format, try the following formula in cell C3:
=(datevalue(A3)-datevalue(A2))&text(time(0,0,(A3-A2)*24*60*60),":HH:mm")
Screenshot:
EDIT (after viewing the comment):
Try the following formula:
=rounddown(A3-A2)&" days "&text(time(0,0,(A3-A2)*24*60*60),"HH:mm")
I am trying to create an order book data structure where a top level dictionary holds 3 basic order types, each of those types has a bid and ask side and each of the sides has a list of tables, one for each ticker. For example, if I want to retrieve all the ask orders of type1 for Google stock, I'd call book[`orderType1][`ask][`GOOG]. I implemented that using the following:
bookTemplate: ([]orderID:`int$();date:"d"$();time:`time$();sym:`$();side:`$();
orderType:`$();price:`float$();quantity:`int$());
bookDict:(1#`)!enlist`orderID xkey bookTemplate;
book: `orderType1`orderType2`orderType3 ! (3# enlist(`ask`bid!(2# enlist bookDict)));
Data retrieval using book[`orderType1][`ask][`ticker] seems to be working fine. The problem appears when I try to add new order to a specific order book e.g:
testorder:`orderID`date`time`sym`side`orderType`price`quantity!(111111111;.z.D;.z.T;
`GOOG;`ask;`orderType1;100.0f;123);
book[`orderType1][`ask][`GOOG],:testorder;
Executing the last query gives 'assign error. What's the reason? How to solve it?
A couple of issues here. First one being that while you can lookup into dictionaries using a series of in-line repeated keys, i.e.
q)book[`orderType1][`ask][`GOOG]
orderID| date time sym side orderType price quantity
-------| -------------------------------------------
you can't assign values like this (can only assign at one level deep). The better approach is to use dot-indexing (and dot-amend to reassign values). However, the problem is that the value of your book dictionary is getting flattened to a table due to the list of dictionaries being uniform. So this fails:
q)book . `orderType1`ask`GOOG
'rank
You can see how it got flattened by inspecting the terminal
q)book
| ask
----------| -----------------------------------------------------------------
orderType1| (,`)!,(+(,`orderID)!,`int$())!+`date`time`sym`side`orderType`pric
orderType2| (,`)!,(+(,`orderID)!,`int$())!+`date`time`sym`side`orderType`pric
orderType3| (,`)!,(+(,`orderID)!,`int$())!+`date`time`sym`side`orderType`pric
To prevent this flattening you can force the value to be a mixed list by adding a generic null
q)book: ``orderType1`orderType2`orderType3 !(::),(3# enlist(`ask`bid!(2# enlist bookDict)));
Then it looks like this:
q)book
| ::
orderType1| `ask`bid!+(,`)!,((+(,`orderID)!,`int$())!+`date`time`sym`side`ord
orderType2| `ask`bid!+(,`)!,((+(,`orderID)!,`int$())!+`date`time`sym`side`ord
orderType3| `ask`bid!+(,`)!,((+(,`orderID)!,`int$())!+`date`time`sym`side`ord
Dot-indexing now works:
q)book . `orderType1`ask`GOOG
orderID| date time sym side orderType price quantity
-------| -------------------------------------------
which means that dot-amend will now work too
q).[`book;`orderType1`ask`GOOG;,;testorder]
`book
q)book
| ::
orderType1| `ask`bid!+``GOOG!(((+(,`orderID)!,`int$())!+`date`time`sym`side`o
orderType2| `ask`bid!+(,`)!,((+(,`orderID)!,`int$())!+`date`time`sym`side`ord
orderType3| `ask`bid!+(,`)!,((+(,`orderID)!,`int$())!+`date`time`sym`side`ord
Finally, I would recommend reading this FD whitepaper on how to best store book data: http://www.firstderivatives.com/downloads/q_for_Gods_Nov_2012.pdf
I've got an sqlite table which contains start/stop timestamps. I would like to create a query which returns a total elapsed time from there.
Right now I have a SELECT (e.g. SELECT t,type FROM event WHERE t>0 AND (name='start' or name='stop) and eventId=xxx ORDER BY t) which returns a table which looks something like this:
+---+-----+
|t |type |
+---+-----+
| 1|start|
| 20|stop |
|100|start|
|150|stop |
+---+-----+
To produce the total elapsed time in the above example would be accomplished by (20-1)+(150-100) = 69
One idea I had was this: I could run two separate queries, one for the "start" fields and one for the "stop" fields, on the assumption that they would always line up like this:
+---+---+
|(1)|(2)|
+---+---+
| 1| 20|
|100|150|
+---+---+
(1) SELECT t FROM EVENT where name='start' ORDER BY t
(2) SELECT t FROM EVENT where name='stop' ORDER BY t
Then it would be simple (I think!) to just sum the differences. The only problem is, I don't know if I can join two separate queries like this: I'm familiar with joins that combine every row with every other row and then eliminate those that don't match some criteria. In this case, the criteria is that the row index is the same, but this isn't a database field, it's the order of the resulting rows in the output of two separate selects - there isn't any database field I can use to determine this.
Or perhaps there is some other way to do this?
I do not use SQLite but this may work. Let me know.
SELECT SUM(CASE WHEN type = 'stop' THEN t ELSE -t END) FROM event
This assumes the only values in type are start/stop.