Forum Discussion

garymansell's avatar
garymansell
Brass Contributor
Oct 22, 2020

KQL Help - creating a histogram of concurrent user count from table of connect/completed timestamps?

Hi,

I am running Azure WVD connected into LogAnalytics and I would like to create a chart showing the number of concurrent users per hour over the previous week.

 

I have written this query (currently limited to just a specific user for testing):

 

let Events = WVDConnections
| where UserName == "tomas.zemek@ricardo.com";
Events
	| where State == "Connected"
	| project CorrelationId , UserName, StartTime=TimeGenerated, State
	| join
	(
	    Events
	    | where State == "Completed"
	    | project EndTime=TimeGenerated, CorrelationId, State
	)
	on CorrelationId
	| project UserName, CorrelationId, State, State1, StartTime, EndTime
| sort by StartTime desc

 

 

Which gives me the below tabular output (I have included the state and state1 columns for clarity):

 
But, I am stuck as I can't workout how to do the make-series statement to count the number of concurrent user sessions at any time.The below statement just counts the number of

 

| make-series count(UserName) default=0 on StartTime from ago(7d) to now() step 15m

 
I am also aware that this query excludes any currently running sessions as they don't have a completed entry until they are finished and I would like to include the current sessions too.
 
Can anyone help me with the KQL for this?
 
Thanks in advance
 
Gary
 

Resources