Forum Discussion

Oleg__D's avatar
Oleg__D
Copper Contributor
Nov 24, 2020
Solved

Heartbeat availability according to ComputerIP

Hello, Since I am novice in KQL I am struggling a bit with a chart I would like to build.  I would like the query to render a graph where I can watch the servers availability according to ComputerIP...
  • GaryBushey's avatar
    GaryBushey
    Nov 24, 2020

    Oleg__D You were very close.   What I did was make sure the bin(TimeGenerated,1d) value was passed through so you could use it as the X-axis and change dcount to count.  I also added names to everything, but that is just me, it isn't required.   The thing with dcount is, according to the documentation, it "Returns an **estimate** for the number of distinct values that are taken by a scalar expression in the summary group."  (** added for emphasis).  count is better for smaller sample sizes.  The only problem with this query is that it will not show any entries that do not have a value for given date so you would need to know how to interpret the results.

     

    Heartbeat
    where TimeGenerated > ago(30d)
    summarize CountComputerIP = count(ComputerIP) by Computer, newDate = bin(TimeGenerated, 1d)
    project Computer = tostring(split(Computer, ".")[0]), CountComputerIP, newDate
    render timechart title="Availability computers - daily"
     
    Rewriting the query as below will show you all those dates where a computer has 0 entries
     
    Heartbeat
    make-series  CountComputerIP = count(ComputerIP) default=0 on TimeGenerated from ago(30d) to now() step 1by Computer
    render timechart title="Availability computers - daily"
GaryBushey's avatar
GaryBushey
Bronze Contributor
Nov 24, 2020

Oleg__D You were very close.   What I did was make sure the bin(TimeGenerated,1d) value was passed through so you could use it as the X-axis and change dcount to count.  I also added names to everything, but that is just me, it isn't required.   The thing with dcount is, according to the documentation, it "Returns an **estimate** for the number of distinct values that are taken by a scalar expression in the summary group."  (** added for emphasis).  count is better for smaller sample sizes.  The only problem with this query is that it will not show any entries that do not have a value for given date so you would need to know how to interpret the results.

 

Heartbeat
where TimeGenerated > ago(30d)
summarize CountComputerIP = count(ComputerIP) by Computer, newDate = bin(TimeGenerated, 1d)
project Computer = tostring(split(Computer, ".")[0]), CountComputerIP, newDate
render timechart title="Availability computers - daily"
 
Rewriting the query as below will show you all those dates where a computer has 0 entries
 
Heartbeat
make-series  CountComputerIP = count(ComputerIP) default=0 on TimeGenerated from ago(30d) to now() step 1by Computer
render timechart title="Availability computers - daily"
Oleg__D's avatar
Oleg__D
Copper Contributor
Nov 24, 2020

Thanks a lot! Didn't even thought about series statement. Now it looks exactly how it should be.
Actually you helped me to find out that ComputerIP is not the best value to use in this case 🙂

I will try to combine it with availability rate (buckets) calculation.

Resources