I'm having trouble understanding how to properly write a query which returns how long VM has been running based on Azure Activity Logs.
Query below returns latest values when VM was started and when it was deallocated. So I need to return value which tells me how long machine has been running or negative value for situation when VM was deallocated. How do I do that properly?
AzureActivity | where TimeGenerated >= ago(30d) and OperationName == "Deallocate Virtual Machine" or OperationName == "Start Virtual Machine" and ActivityStatus == "Succeeded"
| summarize arg_max(EventSubmissionTimestamp, *) by OperationName
Assuming you have a table AzureActivity with columns OperationName, TimeGenerated, EventSubmissionTimestamp, MachineId, ActivityStatus (I am deriving columns from your question), you can use next query:
// Inline data for the purpose of the query demonstration
let AzureActivity = datatable(OperationName:string, TimeGenerated:datetime, EventSubmissionTimestamp:datetime, MachineId:string, ActivityStatus:string)
[
// Machine 1
'Start Virtual Machine', datetime(2019-01-27 00:00), datetime(2019-01-27 00:00), 'Machine1', 'Succeeded',
'Deallocate Virtual Machine', datetime(2019-01-27 00:00), datetime(2019-01-27 01:00), 'Machine1', 'Succeeded',
// Machine 2
'Start Virtual Machine', datetime(2019-01-27 00:00), datetime(2019-01-27 00:00), 'Machine2', 'Succeeded',
];
// Query starts here
let _data = materialize(
AzureActivity
| where TimeGenerated >= ago(30d)
and (OperationName == "Deallocate Virtual Machine" or OperationName == "Start Virtual Machine")
and ActivityStatus == "Succeeded"
| summarize arg_max(EventSubmissionTimestamp, *) by OperationName, MachineId
);
let startEvents = _data | where OperationName == 'Start Virtual Machine' | project StartTime = EventSubmissionTimestamp, MachineId;
let deallocateEvents = _data | where OperationName == 'Deallocate Virtual Machine' | project DeallocateTime = EventSubmissionTimestamp, MachineId;
startEvents | join kind = fullouter (deallocateEvents) on MachineId
| project MachineId, StartTime, DeallocateTime,
UpTime=iif(isnotnull(DeallocateTime),
(DeallocateTime-now()),
(now()-StartTime))
Related
I want to have a table that stores only daily tables sizes.
But it won't work this way:
.set-or-replace async tables_daily_storage <|
(
.show cluster extents
| where MinCreatedOn >= startofday(now())
| project DatabaseName,TableName,OriginalSize,D=bin(MinCreatedOn,1d)
| summarize total_size=sum(OriginalSize) by DatabaseName, TableName
)
Because I used .show function which is a management function.
Is there anything to get around this problem?
Simply remove the brackets
doc
.set-or-replace async tables_daily_storage <|
.show cluster extents
| where MinCreatedOn >= startofday(now())
| project DatabaseName,TableName,OriginalSize,D=bin(MinCreatedOn,1d)
| summarize total_size=sum(OriginalSize) by DatabaseName, TableName
I am writing a Kusto query to create a Dashboard to display health of the VM´s. The VM name, status, mode, enabled status are available in the signgl kusto table
Below is the query to list the VM´s
VM
| where VMName has "XYZ"
| where VMName !has "XYZ123"
| where VMName has_any ("s","t","u","v")
I need to do 1 more filter which would be to identify the VM with status and assigned to variables as belowenter code here
enabled = "mode =online & enabled =true"
disabled = "mode =offline & enabled =true"
total = enabled + disabled
from here I will calculate the total count and percent of enabled VM´s to display in Dashboard.
But I could not use operator "where" to do this. Could you please help me as I am stuck here with no solution. Thanks for the support.
You can use the summarize and countif() function, here is an example that assumes that you have a column called state that has the values "online" and "offline" and a column that is called mode that is "enabled" or "disabled"
VM
| where VMName has "XYZ"
| where VMName !has "XYZ123"
| where VMName has_any ("s","t","u","v")
| summarize Total = count(), EnabledCount = countif(mode == "online" and state=="enabled"), DisabledCount= countif(mode == "offline" and state=="enabled")
Query1
cluster(x).database('$systemdb').Operations
| where Operation == "DatabaseCreate" and Database contains "oci-"| where State =='Completed'
and StartedOn between (datetime(2020-04-07) .. 3d)
| distinct Database , StartedOn
| order by StartedOn desc
Output of my query1 is list of databases , now I have to pass each db value into query2 to get buildnumber
Query2:
set query_take_max_records=5000;
let view=datatable(Property:string,Value:dynamic)[];
let viewFile=datatable(FileName:string)[];
alias database db = cluster(x).database('y');
let latestInfoFile = toscalar((
union isfuzzy=true viewFile,database('db').['TextFileLogs']
| where FileName contains "AzureStackStampInformation"
| distinct FileName
| order by FileName
| take 1));
union isfuzzy=true view,(
database('db').['TextFileLogs']
| where FileName == latestInfoFile
| distinct LineNumber,FileLineContent
| order by LineNumber asc
| summarize StampInfo=(toobject(strcat_array(makelist(FileLineContent,100000), "\r\n")))
| mvexpand bagexpansion=array StampInfo
| project Property=tostring(StampInfo[0]), Value=StampInfo[1]
)|where Property contains "StampVersion" | project BuildNumber = Value;
database() function: is a special scoping function, and it does not support non-constant arguments due to security consideration.
As a result - you cannot use sub-query to fetch list of databases and then operate on this list as input for database() function.
This behavior is described at:
https://learn.microsoft.com/en-us/azure/kusto/query/databasefunction?pivots=azuredataexplorer
Syntax
database(stringConstant)
Arguments
stringConstant: Name of the database that is referenced. Database identified can be either DatabaseName or PrettyName. Argument has to be constant prior of query execution, i.e. cannot come from sub-query evaluation.
I use this query to display exceptions:
exceptions
| where application_Version == "xyz"
| summarize count_=count(itemCount), impactedUsers=dcount(user_Id) by problemId, type, method, outerMessage, innermostMessage
| order by impactedUsers
How to query what percent of users are impacted by specific exception?
I would check all users by this query:
customEvents
| where application_Version == "xyz"
| summarize dcount(user_Id)
You're almost there with what you have, you just need to connect the two:
use let + toscalar to define the results of a query as a number
reference that in your query (i used *1.0 to force it to be a float, otherwise you get 0, and used round to get 2 decimals, adjust that however you need)
making your query:
let totalUsers = toscalar(customEvents
| where application_Version == "xyz"
| summarize dcount(user_Id));
exceptions
| where application_Version == "xyz"
| summarize count_=count(itemCount),
impactedUsers=dcount(user_Id),
percent=round(dcount(user_Id)*1.0/totalUsers*100.0,2)
by problemId, type, method, outerMessage, innermostMessage
| order by impactedUsers
There is an LocalStorage example in the Qt documentation
function findGreetings() {
var db = LocalStorage.openDatabaseSync("QQmlExampleDB", "1.0", "The Example QML SQL!", 1000000);
db.transaction(
function(tx) {
// Some other commands
// Show all added greetings
var rs = tx.executeSql('SELECT * FROM Greeting');
}
)
}
What's the data type of rs?
See the Quick Local Storage QML module documentation:
results = tx.executeSql(statement, values)
This method executes a SQL statement, binding the list of values to
SQL positional parameters ("?").
It returns a results object, with the following properties:
| Type | Property | Value | Applicability |
-----------------------------------------------------------------------------------------
| int | rows.length | The number of rows in the result | SELECT |
-----------------------------------------------------------------------------------------
| var | rows.item(i) | Function that returns row i of the result | SELECT |
-----------------------------------------------------------------------------------------
| int | rowsAffected | The number of rows affected by a modification | UPDATE,DELETE |
-----------------------------------------------------------------------------------------
| string | insertId | The id of the row inserted | INSERT |
results = tx.executeSql(statement, values)
This method executes a SQL statement, binding the list of values to SQL positional parameters ("?").
It returns a results object, with the following properties: link
If all you want is to know the type of returned object, just do:
var rs = tx.executeSql(...);
console.log(rs);
qml: [object Object]