Forum Discussion
Getting incremental value from Perf / TCPv4 / Connection Failuers
I would like to run a query based on the performance counter ObjectName == "TCPv4" and CounterName == "Connection Failures"
This counter displays the TCP Failure number but its particularity is that the counter is incremental.
I would like, with my query, to get only the incremental between two data points.
Let's say my counter is every 300 seconds (5m), how can I have a column with the value incremented every 300 or 600 seconds?
My current query look like this. I've looked to a way of using some kind on Summarize operator without success.
Perf
| where Computer =~ "MyComputerName"
| where ObjectName == "TCPv4" and CounterName == "Connection Failures"
| project TimeGenerated, Computer, ObjectName, CounterName, CounterValue
thanks!
Hi,
You can use the prev command. In this example, we look at free space on the C: volume on a computer named Idala. We compare the previous counter value with the current one. We also do a CASE to write different text strings based on the current free space.
Perf
| where Computer == "idala"
| where CounterName == "% Free Space"
| where InstanceName == "C:"
| serialize | extend prevValue = prev(CounterValue, 1)
| extend diffvalue = CounterValue - prevValue
| extend trend = case(CounterValue < prevValue, "Free Space Reduces",
CounterValue > prevValue, "Free Space Increases",
"No difference")
| project TimeGenerated, InstanceName, CounterValue, prevValue, diffvalue, trend
| order by TimeGenerated desc
2 Replies
Hi,
You can use the prev command. In this example, we look at free space on the C: volume on a computer named Idala. We compare the previous counter value with the current one. We also do a CASE to write different text strings based on the current free space.
Perf
| where Computer == "idala"
| where CounterName == "% Free Space"
| where InstanceName == "C:"
| serialize | extend prevValue = prev(CounterValue, 1)
| extend diffvalue = CounterValue - prevValue
| extend trend = case(CounterValue < prevValue, "Free Space Reduces",
CounterValue > prevValue, "Free Space Increases",
"No difference")
| project TimeGenerated, InstanceName, CounterValue, prevValue, diffvalue, trend
| order by TimeGenerated desc- Wow thanks! did'nt know about PREV().
that work A1!
Perf
| where Computer == "Contoso"
| where ObjectName in ("TCPv4") and CounterName == "Connection Failures"
| order by TimeGenerated asc
| extend CounterValue_prevValue = prev(CounterValue, 1)
| project
TimeGenerated
, Computer
, ObjectName
, CounterName
, CounterValue
, CounterValue_Incremental=CounterValue - CounterValue_prevValue
