I'm trying to get the count of multiple things in a Kusto query but having trouble getting it working. Let's say I have a sample table like this:
let SampleTable = datatable(Department:string, Status:string, DateStamp:datetime)
[
"Logistics", "Open", "05-01-2019",
"Finance", "Closed", "05-01-2020",
"Logistics", "Open", "05-01-2020"
];
And I query like this:
SampleTable
| summarize closedEntries = count() by (Status | where Status == "Closed"),
openEntries = (Status | where Status == "Open"),
recentDates = (DateStamp | where DateStamp > "12-31-2019"),
Department
Expected results:
But this gives an error "The name 'Status' does not refer to any known column, table, variable or function." and the same error for DateStamp. I've also tried using extend and join but it's a mess.
you could use the countif() aggregation function: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/countif-aggfunction
datatable(Department:string, Status:string, DateStamp:datetime)
[
"Logistics", "Open", "05-01-2019",
"Finance", "Closed", "05-01-2020",
"Logistics", "Open", "05-01-2020"
]
| summarize closedEntries = countif(Status == "Closed"),
openEntries = countif(Status == "Open"),
recentDates = countif(DateStamp > datetime(12-31-2019))
by Department
Related
I am trying to generate a list of values that are missing from a set list of values.I have a query like below:
let fcu = todynamic(pack_array("Alarm",
"State",
"Zone",
"Air",
"Temp Sp",
"Fan",
"Zone Air"));
let ac = all
| join kind=inner (AT) on $left.SourceId == $right.Id
| summarize Models=todynamic(make_list(Name2)) by Id
| extend MissingValues =
array_iff(dynamic([false,false,false,false,false,false,false]), fcu, Models);
This gives me the MissingValues as below, with null values that are missing in Models. How do I get the list of values that are missing?
"MissingValues": [
"Alarm",
"State",
"Zone",
"Air",
"Temp Sp",
null,
null
],
you should be able to use set_difference in order to get the set of all distinct values that are in the first array ("expected") but aren't in other array ("actual")
Is there a way to project literal value of severityLevel in Application Insights query?
Consider following query:
union
customEvents,
dependencies,
exceptions,
performanceCounters,
traces
| order by timestamp desc
| project timestamp, operation_Name, itemType, severityLevel, message = strcat(name, message, outerMessage), customDimensions, ['details']
In the output, severityLevel value is numeric, I want the equivalent descriptive value in according with SeverityLevel Enum definition
I am able to get the severityLevel descriptive value.
Use the below query snippet
union
customEvents,
dependencies,
exceptions,
performanceCounters,
traces
| order by timestamp desc
| project timestamp, operation_Name, itemType, severityLevel, message = strcat(name, message, outerMessage), customDimensions, ['details']
| extend severityLevel = case(severityLevel == 0, "Verbose",
severityLevel == 1, "Information",
severityLevel == 2, "Warning",
severityLevel == 3, "Error",
severityLevel == 4, "Critical",
"-")
I am trying to create a query that returns a result set with a distinct (car) column based on another (data) column that is non-null.
In the example below, if there is a non-null value found in the data column then return the single instance with a value and if not, return the value with null and always maintain the distinctness of the first column.
let Car = datatable(car, data:string)
[
"mercedes", "fast",
"mercedes", null,
"tesla", null
"toyota", "good",
"sonata", null,
"sonata", null,
"sonata", "amazing"
];
So the desired output would be:
"mercedes", "fast",
"tesla", null,
"toyota", "good",
"sonata", "amazing",
Thanks!
one option would be using a combination of set_difference() and make_set():
make_set() will create a set of all unique values of data (by car, the aggregation key)
dynamic([""]) is an array with an empty string
set_difference() will produce the difference between the two former arrays - to provide a set with a non-empty string (or an empty set)
last, by accessing the first element of the result set (using [0]), you'll get the first element that's not-empty (or null, if the set is empty)
datatable(car:string, data:string)
[
"mercedes", "",
"mercedes", "fast",
"tesla", "",
"toyota", "good",
"sonata", "",
"sonata", "",
"sonata", "amazing"
]
| summarize data = set_difference(make_set(data), dynamic([""]))[0] by car
car
data
mercedes
fast
tesla
toyota
good
sonata
amazing
I have the following user-defined functions with the intention of using a case conditional to output a table of 0s or 1s saying whether or not an account is active.
case needs scalar values as it's arguments, ie pro_account_active(account) and basic_account_active(account) need to be scalar values.
I'm struggling to get around the limitation of toscalar:
User-defined functions can't pass into toscalar() invocation
information that depends on the row-context in which the function is
called.
I think if there was a function I can use in place of the "??????" that would convert active to a scalar and return it from the function it would work.
Any help greatly appreciated
let basic_account_active=(account:string) {
basic_check_1(account) // returns 0 or 1 row only
| union basic_check_2(account)
| summarize result_count = count()
| extend active = iff(result_count == 2, 1, 0)
| ??????
};
let pro_account_active=(account:string) {
pro_check_1(account) // returns 0 or 1 row only
| union pro_check_2(account)
| summarize result_count = count()
| extend active = iff(result_count == 2, 1, 0)
| ??????
};
let is_active=(account_type:string, account:string) {
case(
account_type == 'pro', pro_account_active(account),
account_type == 'basic', basic_account_active(account),
-1
)
};
datatable(account_type:string, account:string)
[
'pro', '89e5678a92',
'basic', '9d8263da45',
'pro', '0b975f2454a',
'basic', '112a3f4753',
]
| extend result = is_active(account_type, account)
You can convert the output of a query to a scalar by using the toscalar() function, i.e.
let basic_account_active=(account:string) {
toscalar(basic_check_1(account) // returns 0 or 1 row only
| union basic_check_2(account)
| summarize result_count = count()
| extend active = iff(result_count == 2, 1, 0))};
From your example it looks that you have two tables per each account type and if both have entrees for a specific account, then the account is considered active. Is that correct? If so, I would use the "join" operator to find all the entrees in the applicable tables and count them. Here is an example of one way to do it (there are other ways as well).
let basicAccounts1 = datatable(account_type:string, account:string)[ 'basic', '9d8263da45', 'basic', '111111'];
let basicAccounts2 = datatable(account_type:string, account:string)[ 'basic', '9d8263da45', 'basic', '222222'];
let proAccounts1 = datatable(account_type:string, account:string)[ 'pro', '89e5678a92', 'pro', '111111'];
let proAccounts2 = datatable(account_type:string, account:string)[ 'pro', '89e5678a92', 'pro', '222222'];
let AllAccounts = union basicAccounts1, basicAccounts2, proAccounts1, proAccounts2
| summarize count() by account, account_type;
datatable(account_type:string, account:string)
[
'pro', '89e5678a92',
'basic', '9d8263da45',
'pro', '0b975f2454a',
'basic', '112a3f4753',
]
| join kind=leftouter hint.strategy=broadcast (AllAccounts) on account, account_type
| extend IsActive = count_ >=2
| project-away count_, account1, account_type1
The results are:
I'm trying to dynamically create a query and filter from a table not known at compile time (specifically, I want to filter on id if I'm querying the requests table, operation_ParentId otherwise). The following fails because id is not a column in the exceptions table:
let dataset = exceptions;
dataset
| where (itemType == "request" and id == "test") or (itemType != "request" and operation_ParentId == "test")
Thanks in advance!
This can be done using columnifexists():
let dataset = exceptions;
dataset
| where (itemType == "request" and columnifexists("id", operation_ParentId) == "test") or (itemType != "request" and operation_ParentId == "test")
You can ‘union’ the two tables:
let dataset = union exceptions, requests;
...