So I am new to kusto and I am trying to get the min and max dates of the past 21 days in a kusto query and I want to project those min and max dates.
How do I modify this simple query to get the min and max dates of the past 21 days?
customEvents
| where timestamp >= ago(21d)
| project timestamp
You can use summarize with max() and min() like this:
customEvents
| where timestamp >= ago(21d)
| summarize min(timestamp), max(timestamp)
Related
I have multiple tables with telemetry Metric_1, Metric_2, Metric_3 and all those tables have the same schema (e.g. they contain Timestamp column). I'd like to get the most recent timestamp per table.
I found possibility of using union wildcard, but query
union Metric_*
|summarize Max= max(Timestamp)
never actually finished.
Query
Metric_1
|top 1 by Timestamp
takes no time. But even summarize on a single table takes forever (I killed it after 2 minutes)
Metric_1
|summarize Max= max(Timestamp)
Can you explain the time difference and suggest how to accomplish what I need? The outcome should be
Table | MaxTimestamp
Metric_1 | Date1
Metric_2 | Date2
Metric_3 | Date3
I am running KQL (Kusto query language) queries against Azure Application Insights. I have certain measurements that I want to aggregate weekly. I am trying to figure out how to split my data into weeks.
To illustrate what I seek, here is a query that computes daily averages of the duration column.
requests
| where timestamp > ago(7d)
| summarize
avg(duration)
by
Date = format_datetime(timestamp, "yyyy-MM-dd")
This produces something similar to this:
In the above I have converted datetimes to string and thus effectively "rounded them down" to the precision of one day. This may be ugly, but it's the easiest way I could think of in order to group all results from a given day. It would be trivial to round down to months or years with the same technique.
But what if I want to group datetimes by week? Is there a nice way to do that?
I do not care whether my "weeks" start on Monday or Sunday or January 1st or whatever. I just want to group a collection of KQL datetimes into 7-day chunks. How can I do that?
Thanks in advance!
Looks like you are looking for the "bin()" function:
requests
| where timestamp > ago(7d)
| summarize
avg(duration)
by
bin(timestamp, 1d) // one day, for 7 days change it to 7d
I found out that I can use the week_of_year function to split datetimes by week number:
requests
| where timestamp > ago(30d)
| summarize
avg(duration)
by
Week = week_of_year(timestamp)
| sort by Week
I have a requirement where I need to regularize/aggregate data which is polled every 1 sec into 1 min intervals. And I have two columns which need to be aggregated as well, say SensorName, SensorValue. I am able to bin the timestamp to 1 minute, but I am not able to get the corresponding two colums. How do I do that? Below is the query I used and the output I get.
Table
| where TimeStamp between (datetime(2020-09-01)..datetime(2020-09-30))
| summarize by bin(TimeStamp , 1min)
based on my understanding of the question (could be wrong, as there's no clear specification of sample input/schema and matching output), you could try following this example - it calculates the average sensor value for each sensor name, using an aggregation span of 1 minute:
Table
| where TimeStamp between (datetime(2020-09-01)..datetime(2020-09-30))
| summarize avg(SensorValue) by SensorName, bin(TimeStamp, 1min)
I'm trying to write down an Azure Log analytics query that would show me the average CPU usage in the past 30 days for my Azure virtual machines.
With the following query I have some results, but not really what I'm looking for:
Perf
| where ObjectName == 'Processor' and CounterName == '% Processor Time' and InstanceName == '_Total'
| summarize CPUAvarage = avg(CounterValue) by Computer, bin(TimeGenerated, 1h)
Result:
The result are are in the correct form, but the TimeGenerated should be last 30 days and "CPUAvarage" should display 1 number for past 30 days (30 days average cpu). If I'm correct query should add all values together past 30 days and then divide it by count but my with my current Kusto skills I'm not able to do this.
I don't fully understand what you're trying to achieve, so here are your options:
If you want the result to be per day, and not per hour, then you should replace bin(TimeGenerated, 1h) with bin(TimeGenerated, 1d), because 1h is an hour, and 1d is a day.
If you want the average CPU per computer over the whole month, then replace your summarize line with | summarize CPUAvarage = avg(CounterValue) (note that I removed the bin part).
If you want the average CPU per day for all your computers (rather than per computer), then replace your summarize line with | summarize CPUAvarage = avg(CounterValue) by bin(TimeGenerated, 1d).
I am trying to get the sum of all categories from a certain month from my transactions table in my sqlite database. Here is how the table is set up...
| id | transactionDate | transactionAmount | transactionCategory | transactionAccount |
Now, I want to specify three things:
The account name
The month
The year
And get the sum of the transactionAmount grouped by transactionCategory from the specified account, year, and month.
Here is what my SELECT statement looks like...
SELECT SUM(transactionAmount) AS total, transactionDate, transactionCategory
FROM transactions
WHERE transactionAccount=? AND Strftime(\"%m\", transactionDate)=? AND Strftime(\"%y\", transactionDate)=?
GROUP BY transactionCategory ORDER BY transactionCategory
Unfortunately, this returns zero rows. I am able to get accurate results if I don't try and select the month and year, but I would like to see the data from specific ranges of time...
I figured out the issue. I was simply formatting the year incorrectly. It should have been strftime('%Y', transactionDate)=? NOT strftime('%y', transactionDate)=? - the difference being a capital Y vs. a lowercase one.