cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Query help

Dalesss
Copper Contributor

‎Nov 06 2019 11:36 AM - edited ‎Nov 06 2019 11:37 AM

‎Nov 06 2019 11:36 AM - edited ‎Nov 06 2019 11:37 AM

Query help

Hi all,

 

I'm very new to Kusto and I do have the following question:

With the following query:

 

 

ContainerLog
| where Image contains "xyz"
| where LogEntry contains "ACTIVATE serviceIds"
| where LogEntry !contains "DEACTIVATE"
| project log=parse_json(LogEntry).message.log

 

 

 I do get the following result:

ACTIVATE serviceIds: [501]
ACTIVATE serviceIds: [669]
ACTIVATE serviceIds: [20, 662]
ACTIVATE serviceIds: [20, 662]
ACTIVATE serviceIds: [20, 645, 669]

Is it possible to render that result as a barchart with each bar representing the count of one serviceId?

 

So in this particular case that would mean a barchart with 5 bars:

20 -> count = 3

501 -> count = 1

645 -> count = 1

662 -> count = 2

669 -> count = 2

 

Any help is very much appreciated!

 

Cheers,

 

Silvio

 

PS: I hope I got the right place to post this question.

 

994 Views
0 Likes
2 Replies
Reply
2 Replies
Yoni

‎Nov 06 2019 11:41 AM

‎Nov 06 2019 11:41 AM

Re: Query help

you could try something like this:

 

datatable(s:string)
[
    'ACTIVATE serviceIds: [501]',
    'ACTIVATE serviceIds: [669]',
    'ACTIVATE serviceIds: [20, 662]',
    'ACTIVATE serviceIds: [20, 662]',
    'ACTIVATE serviceIds: [20, 645, 669]',
]
| parse s with * "serviceIds: " serviceIds:dynamic
| mv-expand serviceId = serviceIds to typeof(long)
| summarize count() by serviceId
| render barchart
0 Likes
Reply
Dalesss

‎Nov 06 2019 11:02 PM

‎Nov 06 2019 11:02 PM

Re: Query help

@Yoni 

 

Thanks, mate. That's exactly what I was looking for!

0 Likes
Reply