I understand how to use requests and dependencies in a query.
How can I only list requests having more than a specific number of dependencies?
The comment is right, you should use join and count for your purpose. Note that the requests and dependencies are related by operation_Id.
Please use the code below which works for me (list requests that have more than 3 dependencies).
let myrequests = requests
| where timestamp > ago(1h)
| join (dependencies | where timestamp > ago(1h))
on operation_Id
| summarize mycount=count() by operation_Id
| where mycount > 3;
requests
| where timestamp >ago(1h)
| join myrequests
on operation_Id
Result as below:
Related
I need to make a timechart of concurrent VPN users connected to my Cisco ASA like the one in the following screenshot:
look! here is "the perfect" timechart in splunk
Another timechart screenshot here: https://drive.google.com/file/d/1dW8nyG3dz3GbPiXuiXZofuhccoHpEHSP/view?usp=sharing
In splunk it was made possible by the awesome query posted here:
https://community.splunk.com/t5/Splunk-Search/Concurrent-Active-VPN-Sessions-on-a-Timechart/m-p/493141#M137524
If I have to use the same logic to achieve the desired result, I just need your help to convert the following part of the above splunk query into KQL:
| sort 0 _time
| eval time2=_time
| bin span=20m time2
| eval time2=if(status="disconnected",NULL,time2)
| eval _time=coalesce(time2,_time)
| streamstats count(eval(status="assigned")) as session by user
| stats values(eval(if(status="assigned",round(_time),NULL))) as start values(eval(if(status="disconnected",round(_time),NULL))) as end by user session
| eval timerange=mvrange(start,end,1200)
| mvexpand timerange
| rename timerange as _time
| timechart span=20m count(user)
Expected Output (from splunk) : https://drive.google.com/file/d/11F5p_zOGlgenIqVsToXiPlL2UplSIRNa/view?usp=sharing
Sample Data (from Sentinel, parsed) :
https://drive.google.com/file/d/1wzansi1MfCnUylNHSeUHiw8POIxzS4q_/view?usp=sharing
Yea, we had to switch from splunk to Azure Sentinel. (Don't ask why.)
I have an application insights query. And in this query I want to join/combine several columns into a single column for display how can this be accomplished.
I want to combine ip, city, state, country.
customEvents
| where timestamp >= ago(7d)
| where (itemType == 'customEvent')
| where name == "Signin"
| project timestamp, customDimensions.appusername, client_IP,client_City,client_StateOrProvince, client_CountryOrRegion
| order by timestamp desc
strcat is your friend, with whatever strings you want as separators (i just use spaces in the example):
| project timestamp, customDimensions.appusername,
strcat(client_IP," ",client_City," ",client_StateOrProvince," ", client_CountryOrRegion)
also, the | where (itemType == 'customEvent') in your query is unnecessary, as everything in the customEvents table is already a customEvent. you only need a filter like that on itemType if you join multiple tables somehow (like union requests, customEvents or a join somewhere in your query that references multiple tables)
I have an Application Insights Azure Stream Analytics query that looks like this...
requests
| summarize count() by bin(duration, 1000)
| order by duration asc nulls last
...which gives me something like this, which shows the number of requests binned by duration in seconds, recorded in Application Insights.
| 0 | 1000 |
| 1000 | 500 |
| 2000 | 200 |
I would like to able to add another column which shows the count of exceptions from all requests in each bin.
I understand that extend is used to add additional columns, but to do so I would have to reference the 'outer' expression to get the bin constraints, which I don't know how to do. Is this the best way to do this? Or am I better off trying to join the two tables together and then doing the summarize?
Thanks
As you suspected - extend will not help you much here. You need is to run join kind=leftouter on the operation IDs (leftouter is needed so you won't drop requests that did not have any exceptions):
requests
| join kind=leftouter (
exceptions
| summarize exceptionsCount = count() by operation_Id
) on operation_Id
| summarize count(), sum(exceptionsCount) by bin(duration, 1000)
| order by duration asc nulls last
Based on datapoint numbers I'm seeing, a client's website is averaging 28 dependencies per each request. That does seem very high to me so I'd like to do some analysis by rolling dependency data points up on page views and requests to the website. Unfortunately, looking at the fields available via Application Insights, there doesn't seem to be a natural field to join dependency to pageviews or requests. Any thoughts as to how I would go about doing so?
You can consider using OperationContext
This may get you running in the right direction
requests
| where timestamp > ago(1d)
| project timestamp, operation_Id
| join (dependencies
| where timestamp > ago(1d)
| summarize count(duration) by operation_Id, type
) on operation_Id
This is what I use to look at 22 hours of my data for a particular request talking to sql server
// Requests
requests
| where timestamp >= datetime(2017-08-24T08:59:59.999Z) and timestamp < datetime(2017-08-25T06:30:00.001Z)
| where (itemType == 'request' and ((timestamp >= datetime(2017-08-24T09:00:00.000Z) and timestamp <= datetime(2017-08-25T06:30:00.000Z)) and (client_Type == 'PC' and operation_Name == 'POST /CareDelivery/CareDelivery/ServiceUserDetailsForDeviceUserChunked/00000000-0000-0000-0000-000000000000')))
| join (dependencies
| where timestamp >= datetime(2017-08-24T08:59:59.999Z) and timestamp < datetime(2017-08-25T06:30:00.001Z)
| summarize count(duration) by operation_Id, type
) on operation_Id
| summarize count_dependencies=avg(count_duration) by type, bin(timestamp, 20m)
Post this into the query and the format will be ok, and you can read it - wish i could
I want to create a page in Drupal to report some basic forum information. I thought I'd use Views, but Views only lets you set one "entity" type per view but forum topics are made up of nodes and comments (aka, topics and replies).
Ideally, I'd like a single view that lists all forum nodes and comments together in a single table (sorted by date), along with a total number of both combined, if possible. Is there a way to do that with Views?
Update: What I'm looking for is something like this:
-------------------------------------------------------
| User | Post | Type | Date |
-------------------------------------------------------
| amy | post text appears here | post | 1/5/01 |
| bob | comment text appears here | comment | 1/5/01 |
| amy | another comment here | comment | 1/5/01 |
| cid | another post appears here | post | 1/4/01 |
| dave | yet another comment here | comment | 1/4/01 |
-------------------------------------------------------
total posts + comments: 5
Not sure what you really want. Either you can display nodes + number of comments or nodes and comments at the same level but then they don't have a total number because they are all separate? Or do you want to show each comment separate together with the number of comments in that thread?
If the latter, that might not be trivial.
Basically, you could create a UNION Select query and query both the node and the comment table. could look like this:
(SELECT 'node' AS type, n.nid as id, n.title as title, nncs.comment_count as comment_count, n.created as timestamp FROM {node} n INNER JOIN {node_comment_statistics} nncs ON n.nid = nncs.nid)
UNION
(SELECT 'comment' AS type, c.cid as id, c.subject as title, cncs.comment_count as comment_count, c.timestamp as timestamp FROM {comments} c INNER JOIN {node_comment_statistics} cncs ON c.nid = cncs.nid)
ORDER BY timestamp DESC LIMIT 10;
That will return a result containing: node/comment | id | title | comment_count | timestamp.
See http://dev.mysql.com/doc/refman/5.1/en/union.html for more information about UNION.
You can then theme that as a table.
Hints:
If you need more data, either extend
the query or use node/comment_load
You could also join {node} in the
second query and use the node title
instead of comment subject
That query is going to be slow
because it will always do a filesort
because you have a union there. It
might actually be faster to execute
two separate queries and then mangle
them together in PHP if you have a
large number of nodes/comments
It turns out the Tracker 2 module provides enough of what I needed.