Forum Discussion

Bart Verboven's avatar
Bart Verboven
Copper Contributor
May 28, 2018

Help requested with log analytics query for Application Gateway timechart

Hi,

Can anyone help out a starting log analytics rookie?

I am trying to troubleshoot performance on an Application Gateway and noticed a specific IP has a high amount of hits compared to the others (factor 10000).

I want to filter out all requests for that specific IP address and set on a timeline how many requests have been send by this IP in time so I cancorrelate traffic originating from that IP with the performance issues we experienced.

 

What I already have is quite limited:

search in (AzureDiagnostics) ResourceType == "APPLICATIONGATEWAYS" and Resource == "mygateway"
| where clientIP_s == "1.1.1.1"
| render timechart

 

Thanks for your feedback!

Bart

  • Hi Bart,

     

    If I understand your question correctly, you're looking for the bin() command. I've also cleaned up the rest of your query to be more performant. Try to avoid "search" whenever possible to improve your query times; in this case, since you know the table name and column names where your data is, filter by them directly.

    AzureDiagnostics
    | where ResourceType == "APPLICATIONGATEWAYS" and Resource == "mygateway"
    | where clientIP_s == "1.1.1.1"
    | summarize count() by bin(TimeGenerated, 1h)
    | render timechart

    Note that while I'm using "1h" here as the size of bucket which you want to examine, I could just as easily say "2m" (2 minute buckets), "30s" (30 seconds), etc. 

     

    Thanks,

    -Evgeny

     

     

  • Hi Bart,

     

    If I understand your question correctly, you're looking for the bin() command. I've also cleaned up the rest of your query to be more performant. Try to avoid "search" whenever possible to improve your query times; in this case, since you know the table name and column names where your data is, filter by them directly.

    AzureDiagnostics
    | where ResourceType == "APPLICATIONGATEWAYS" and Resource == "mygateway"
    | where clientIP_s == "1.1.1.1"
    | summarize count() by bin(TimeGenerated, 1h)
    | render timechart

    Note that while I'm using "1h" here as the size of bucket which you want to examine, I could just as easily say "2m" (2 minute buckets), "30s" (30 seconds), etc. 

     

    Thanks,

    -Evgeny

     

     

    • Bart Verboven's avatar
      Bart Verboven
      Copper Contributor

      Wonderful!

      This indeed returns the information that I'm looking for

       

      Thanks,

      Regards,

      Bart

       

Resources