I have a .net application uploading customEvents to application insights. I'd like to create an alert to trigger when a scanning (like a heartbeat) message hasn't been sent.
If I run the following log query I get back what I think looks like something I can alert on:
app('dev-insights').customEvents
| where name == "Scanning"
| project-rename TimeGenerated = timestamp
| make-series kind=nonempty counts=count() default=0
on TimeGenerated in range(ago(1h), now()-5m, 5m)
| mv-expand TimeGenerated, counts
| project todatetime(TimeGenerated), toint(counts)
| summarize AggregatedValue=avg(counts) by bin(TimeGenerated, 5m)
And I get results like this:
But with the following in azure alerts it never seems to fire:
Is this something that should be possible? I notice that the graph in the alert preview never looks right which I suspect is something to do with the issue, but seeing as the raw log query looks ok I'm a bit stuck.
Ideally I guess I'd prefer this to be a metric alert as I think if even I can get this to work I'll get an alert sent every time the condition is true rather than just one when it triggers and one when it resolves. Is there any way to achieve that?
Related
I am putting together a dashboard for our production services and I am trying to create a unified chart of response performance across multiple services.
Now, I can get the the query to run but it created a STACKED column chart but I cannot seem to get it to UNSTACK unless I manually go to the chart properties and change it, but this is not a persistent change as it will reset when you reload / refresh the page.
Here's my query
// Create a combined dataset
let mainTable = union pageViews, customEvents, requests
| where isempty(operation_SyntheticSource)
| extend name =replace("\n", "", name)
| extend name =replace("\r", "", name);
// Generate chart data
mainTable
| where duration > 1000 // Not interested in any responses under 1 second
| parse (duration / 1000) // Take the whole number of seconds
with P1: int
"."
notInterested: string
| extend peformanceBucket = iff(P1 > 4, ">4", tostring(P1))
| project name, duration, peformanceBucket
| summarize Count = count() by peformanceBucket, name
| order by peformanceBucket
| render columnchart
And here's the output
But this is what I want (by default)
I can get the the query to run but it created a STACKED column chart but I cannot seem to get it to UNSTACK unless I manually go to the chart properties and change it, but this is not a persistent change as it will reset when you reload / refresh the page.
If you want to show the Unstacked Chart Type use the Kind property has Unstacked.
Workaround follows:
The query I have used in my Application Insights
exceptions
| summarize count = sum(itemCount) by bin(timestamp, 3h), problemId
| order by timestamp asc, problemId
| render columnchart kind=unstacked
Result
After Adding in Dashboard
Azure Application Insights uses the Kusto Query Language (KQL) that is clearly quite powerful, but I cannot seem to get it to aggregate nested data.
The best way to explain this is through an example. My actual situation uses different data, but has the same problem that I will explain here. Using the Azure Data Explorer there is a StormEvents table that has a State property, a StormSummary property, and many more. The StormSummary property is JSON that looks like:
{"TotalDamages":0,"StartTime":"2007-09-18T20:00:00.0000000Z",...}
I can do a query such as:
StormEvents
| project State, StormSummary.TotalDamages
That gives me a nice tabular result. However, what I really want is to aggregate the total damages for each state, so I want something like:
StormEvents
| project State, sum(StormSummary.TotalDamages)
Unfortunately, the above query fails with:
Function 'sum' cannot be invoked in current context.
My end goal is to render this in a pie chart to show total damages for each state, but I can't get the sum of the damages. I'm using App Insights to create data with the same problem as this. Maybe if I structure my data differently it would help. I am using Track Event and providing a number as a property on the event. I could use a Metric instead, but the documentation indicates I should use an Event since I am not aggregating the metric myself.
As a point of reference, the following works if I do a count of the records by state, but I want a sum of the total damages by state.
StormEvents
| summarize Count=count() by State
| render piechart
instead of this:
StormEvents
| project State, sum(StormSummary.TotalDamages)
you could try this:
StormEvents
| summarize sum(tolong(StormSummary.TotalDamages)) by State
In Azure you can see how many requests have been made against a CosmosDB in the overview tab of the cosmosDb. I want to get that same number (total requests) using Log Analytics Diagnostic logs, but I am having trouble knowing which logs to count, since there are more logs than total requests.
Around March I used a logic that if a log had a full self-link (with database id/name and collection id/name) in requestResourceId_s field then I would count it. This seemed to work and the numbers added up, but when I revisited this a while back I noticed this doesn't work anymore. Then I tried filtering the logs with collectionName_s != "", requestLength_s != "0", requestCharge_s != "0.000000", using the distinct operator on the activityId and combining the mentioned filters in different combinations. But it always returns the wrong numbers and I cant seem to find the Total Request Count.
AzureDiagnostics
| extend requestDatabaseId = extract("(^(/dbs/.*?)/)", 1, requestResourceId_s)
| extend requestCollectionId = extract("((/colls/.*?)/)", 1, requestResourceId_s)
| where requestDatabaseId != "" and requestCollectionId != ""
This is the main point of the query I used to use to get the Total request count. For instance, it will count a log that has /dbs/master/colls/master/docs" in requestResourceId_s
For instance, if I see there have been 97 total request, with my old logic there are now 326 logs that get counted.
Any help is appreciated.
Welcome to Stack Overflow.
AFAIK you should use the below Kusto query to get the total number of requests made.
AzureMetrics | where MetricName == "TotalRequests"
Pre-requisite for the above thing to work is to turn on logging using diagnostic setting as explained in this document. Make sure you tick the 'Requests' box under Metric section as highlighted in below screenshot.
Please refer to this document to know what all metrics are currently supported. Should supported metrics for any Azure resource changes in future then the information on this would probably be updated.
Hope this helps!! Cheers!!
I checked that when i try to query on events data the total record decreased automatically. I want to know that when data is deleted from applicationinsights. My query is just simple count query. I also noticed that some events timestamp also updated. I searched for blog etc but nothing found
customEvents | count
Unless you explicitly set a time range in the query directly, like
customEvents | where timestamp >= ago(7d) | count
then the analytics website is going to automatically apply a last 24 hours time restriction automatically. (look in the upper right corner, there is a dropdown that will either say "set in query" or "last 24 hours" or other choices)
We have a custom event put in place on page which tracks the link clicks on given page to app insights. And with the REST API we would like to get the frequently accessed links from app insights.
How can we build the Query to get this analytics data, any sample on reading custom events available?
Thanks
if you open the Application Insights Analytics website for any resource, there's some "Common Queries" examples right on the front page. one of them is called "Usage" and if you click it it will show you this one:
//What are the top 10 custom events of your application in the past 24 hours?
customEvents
| where timestamp >= ago(24h)
| summarize dcount(user_Id), count() by name
| top 10 by count_
| render barchart
which:
queries customEvents,
filtering to the last 24 hours (timestamp >= ago(24h)),
does a summary of the distinct count of users (dcount(user_Id)) and the total number of events (count()), grouped by the event name (by name),
then filters to the top 10 by the _count field created from the summarization (top 10 by count_)
and then renders it as a bar chart (render barchart)
there are many other examples on the analytics home page as well.
Edit to add: You can easily query any custom properties or metrics that you send as well. the customDimensions and customMeasurements fields in each event type are json typed fields, and if there's no spaces in the names, you can just use dot notation to grab values. if the field has names/special characters, use brackets and quotes:
customEvents
| where timestamp >= ago(1h)
| extend a = customDimensions.NameOfFieldWithNoSpacesOrSpecialCharacters
| extend b = customDimensions["Field with spaces"]
| extend duration = customMeasurements["Duration (ms)"]
| project a, b, duration
| limit 10
(you don't need to use extend, you can use the fields however you want this way, with extend or project or summarize or any other functions or anything else. i just used extend for the example here.)