I'm trying to display custom names for the Row data fetched using IN condition in Kusto.
Below is the table structure-
Below is the query I've used-
customEvents
| project Action=customDimensions["ActionInvoked"]
| where Action in (
"viewSelected",
"myProjectsSelected",
"watchlistSelected"
)
| summarize count() by tostring(Action)
| sort by count_
| render columnchart
The output to the query is as below-
As noticed in the output highlighted column names ("viewSelected","myProjectsSelected" & "watchlistSelected") are being rendered as is.
These are not User friendly and I'd like to change it.
NOTE: I'm just a day old to Kusto, so my query might be bad. Please feel free to change it to a better one if needed.
You'll need to replace your original values in the Action column by the names you want to be displayed. The easiest way to do it is to use the case function like this (look at the | extend Action = case(...) part):
customEvents
| project Action = tostring(customDimensions["ActionInvoked"])
| where Action in (
"viewSelected",
"myProjectsSelected",
"watchlistSelected"
)
| extend Action = case(
Action == "viewSelected", "Default Views",
Action == "myProjectsSelected", "Custom Views",
"Watchlist")
| summarize count() by Action
| sort by count_
| render columnchart
By the way, note that I moved the tostring higher up in the query, for convenience.
And here's how the new query works on your data:
datatable(Action:string) [
"viewSelected",
"myProjectsSelected",
"watchlistSelected",
"watchlistSelected",
"viewSelected"
]
| extend Action = case(
Action == "viewSelected", "Default Views",
Action == "myProjectsSelected", "Custom Views",
"Watchlist")
| summarize count() by Action
Output:
Action
count_
Default Views
2
Custom Views
1
Watchlist
2
Related
I have a JSON property bag being received as an update to configuration. I would like to retrieve the existing latest property bag from the table, manipulate it to remove the keys that are being updated using the bag_remove_keys and bag_merge operators.
This is being used in an update policy, so I have the new property bag in an extend from the input data, I need to perform a new extend to retrieve the current latest property set existing in the table.
Something similar to the below:
rawhsimessages
//Get #RecType
| extend ParsedMessage = parse_json(Message)
| extend Objects = ParsedMessage["ExportedConfig"]["Objects"]
| parse Objects with "[" Objects "]"
| extend Properties = parse_json(Objects)
| extend RecType = Properties["#RecType"]
| where RecType == "CHANGE"
| extend latestconfig = XXXX(GeoSCADAConfigurationTest | where Id == Properties["Id"] | summarize arg_max(ConfigTime, Properties)
| project-away Message, ParsedMessage, Objects
Can I replace the XXXX with anything that will allow me to do this?
If not, is there a better approach I can take?
I'm pretty new to KQL and I'm having a difficult time with it (I don't have a background in stats, and I'm not very good at SQL either). I have telemetry data coming in from Microsoft AppCenter that I want to parse out into some charts but I'm trying to first figure out how to split a concatenated string that is essentially a dictionary that has two possible values: true and false. I want to count the number of each, so every key would have 2 values (true/false) which would also each have a numerical count value.
The input string I'm trying to get this data from is of the format Remove Splash/Main Menu Branding=True;Disable Aim Assist=False - unique items are split by ; and each pair is split by =. I am trying to figure out which options my users are using this way. The example string here would be split into:
Remove Splash/Main Menu Branding = True (count 1)
Disable Aim Assist = False (count 1).
If a new item came in that was Remove Splash/Main Menu Branding=True;Disable Aim Assist=True the summarized data would be
Remove Splash/Main Menu Branding = True (count 2)
Disable Aim Assist = False (count 1).
Disable Aim Assist = True (count 1).
So far I've got a query that selects a single item, but I don't know how to count this across multiple rows:
customEvents
| where timestamp > ago(7d)
| where name == "Installed a mod"
| extend Properties = todynamic(tostring(customDimensions.Properties))
| where isnotnull(Properties.["Alternate Options Selected"])
| extend OptionsStr = Properties.["Alternate Options Selected"] //The example string in above
| extend ModName = Properties.["Mod name"]
| where ModName startswith "SP Controller Support" //want to filter only to one mod's options
| extend optionsSplit = split(OptionsStr, ";")
| summarize any(optionsSplit)
I'm not sure how to make counts of it in a dictionary though. If anyone has any suggestions or tips or examples on something like this, I would really appreciate it, thanks.
Here you go:
let MyTable = datatable(Flags:string) [
"Remove Splash/Main Menu Branding=True;Disable Aim Assist=False",
"Remove Splash/Main Menu Branding=True;Disable Aim Assist=True"
];
MyTable
| extend Flags = split(Flags, ";")
| mv-expand Flag = Flags to typeof(string)
| summarize Count = count() by Flag
The output of this is:
| Flag | Count |
|---------------------------------------|-------|
| Remove Splash/Main Menu Branding=True | 2 |
| Disable Aim Assist=False | 1 |
| Disable Aim Assist=True | 1 |
Explanation:
First you split every input string (that contains multiple flags) into substrings, so that each will only have a single flag - you achieve this by using split.
Now your new Flags column has a list of strings (each one containing a single flag), and you want to create a record with every string, so you use the mv-expand operator
Lastly, you want to count how many times every key=value pair appears, and you do it with summarize count() by Flag
In case you want to see one record (in the output) per Key, then you can use the following query instead:
let MyTable = datatable(Flags:string) [
"Remove Splash/Main Menu Branding=True;Disable Aim Assist=False",
"Remove Splash/Main Menu Branding=True;Disable Aim Assist=True"
];
MyTable
| extend Flags = split(Flags, ";")
| mv-expand Flag = Flags to typeof(string)
| parse Flag with Key "=" Value
| project Key, Value
| evaluate pivot(Value, count(Value))
Its output is:
| Key | False | True |
|----------------------------------|-------|------|
| Remove Splash/Main Menu Branding | 0 | 2 |
| Disable Aim Assist | 1 | 1 |
You wrote that you're new to KQL, so you might find the following free Pluralsight courses interesting:
How to start with Microsoft Azure Data Explorer
Basic KQL
Azure Data Explorer – Advanced KQL
P.S. In the future please provide sample input in datatable format (if you're using Kusto Explorer, just select the relevant query results, right-click on the selection, and click Copy as datatable() literal), and also the expected output in a table format, so that it will be easier to understand what you want to achieve.
I'm trying to get a list of all of the parent posts in my database sorted by the most recent activity to that thread. That means check the most recent post to that thread - if there's children posts then check their most recent date, if not then the parent's date.
I have one table called "posts" that consists of the following:
If a post is a parent (first post of thread): Topic is not null, Parent_ID is null. It would look like this:
ID | Name | Message | Date | File | Topic | Parent_ID
=====================================================
1 | Joe | Wee! | Date | File | Blah! | NULL
If a post is a child (a post in a thread = parent's ID): Topic is null, Parent_ID is not null. It would look like this:
ID | Name | Message | Date | File | Topic | Parent_ID
=====================================================
2 | Mike | Hi! | Date | File | NULL | 1
I've gotten really close. I think it has something to do with the With Clause. This is what I came up with so far:
WITH threads AS (
SELECT ID,Name,Date,File,Topic,Parent_ID FROM posts WHERE Parent_ID IS NULL
UNION ALL
SELECT Parent_ID,Name,Date,File,Topic,Parent_ID FROM posts WHERE Parent_ID NOTNULL ORDER BY Date DESC
)
SELECT * FROM threads GROUP BY ID ORDER BY Threads.date;
I already know I can search for similar questions. I've already tried and still haven't come to an exact conclusion. Any help would be appreciated.
Also, should I change my table up? Maybe add a thread column or even a thread table or something to make things easier?
AllDates is a standard tree walk, and collects all dates for each topic; the TopID is kept through all iterations so that the last date can be associated with it.
LastDates then throws away all rows that are not the last date.
WITH RECURSIVE AllDates(TopID, ID, Date) AS (
SELECT ID, ID, Date
FROM Threads
WHERE Parent_ID IS NULL
UNION ALL
SELECT AllDates.TopID, Threads.ID, Threads.Date
FROM AllDates
JOIN Threads ON AllDates.ID = Threads.Parent_ID
),
LastDates(ID, LastDate) AS (
SELECT TopID, max(Date)
FROM AllDates
GROUP BY TopID
)
SELECT *
FROM Threads
JOIN LastDates USING (ID)
-- WHERE Parent_ID IS NULL (not needed because of the join)
ORDER BY LastDate DESC;
(This would be much easier and faster if each post had a reference to the thread.)
I use this query to display exceptions:
exceptions
| where application_Version == "xyz"
| summarize count_=count(itemCount), impactedUsers=dcount(user_Id) by problemId, type, method, outerMessage, innermostMessage
| order by impactedUsers
How to query what percent of users are impacted by specific exception?
I would check all users by this query:
customEvents
| where application_Version == "xyz"
| summarize dcount(user_Id)
You're almost there with what you have, you just need to connect the two:
use let + toscalar to define the results of a query as a number
reference that in your query (i used *1.0 to force it to be a float, otherwise you get 0, and used round to get 2 decimals, adjust that however you need)
making your query:
let totalUsers = toscalar(customEvents
| where application_Version == "xyz"
| summarize dcount(user_Id));
exceptions
| where application_Version == "xyz"
| summarize count_=count(itemCount),
impactedUsers=dcount(user_Id),
percent=round(dcount(user_Id)*1.0/totalUsers*100.0,2)
by problemId, type, method, outerMessage, innermostMessage
| order by impactedUsers
I have a google spreadsheet with data.
(I simplified all the examples to make it easier to read):
+-------+--------+-------+
| Name | Email | other |
+-------+--------+-------+
| Name1 | Email1 | info1 |
| Name2 | Email2 | info2 |
+-------+--------+-------+
I'm using google.visualization.Query to load the data from the spreadsheet into an html webpage.
I create a google.visualization.DataTable from the query and then a visualization Table from the DataTable.
Now I want to edit the spreadsheet when the user clicks a row, my old code was easy, just fired a new event
var DataTable= response.getDataTable(); //response is the response after sending the google.visualization.Query
var Table = new google.visualization.Table (...);
google.visualization.events.addListener(visualization_table, 'select', selectedRow);
function selectedRow(){
alert(Table.getSelection()[0]);
}
the code is working when the query includes the whole spreadhseet (select *)
but when you filter some row, for example (select * C contains 'John')
obviously the table in the html code don't have the same row index as the spreadsheet, so I can't use Table.getSelection()[0].
Is there any way to get the "real" row index to edit it properly?
I've never queried sheets as a data source like this, but I noticed two methods on DataTable that might help:
DataTable.getColumnId(columnIndex);
DataTable.getRowId(rowIndex)
Returns the identifier of a given column specified by the column index in the underlying table. For data tables that are retrieved by queries, the column identifier is set by the data source, and can be used to refer to columns when using the query language.