Home

Incorrect results from Log Analytics

%3CLINGO-SUB%20id%3D%22lingo-sub-354764%22%20slang%3D%22en-US%22%3EIncorrect%20results%20from%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-354764%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20seeing%20two%20different%20results%20from%20the%20same%20Log%20Analytics%20data%20set%20and%20don't%20understand%20why.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20using%20Log%20Analytics%20to%20monitor%20our%20iis%20web%20servers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20run%20the%20query%20below%20is%20shows%20I%20have%2015%20errors%20from%203144%20pages.%3C%2FP%3E%3CPRE%3E%2F%2F%20failed%20request%20count%20by%20name%3CBR%20%2F%3Elet%20start%3Ddatetime(%222019-02-20T00%3A00%3A00.000Z%22)%3B%3CBR%20%2F%3Elet%20end%3Ddatetime(%222019-02-20T23%3A59%3A00.000Z%22)%3B%3CBR%20%2F%3Elet%20dataset%3Drequests%3CBR%20%2F%3E%2F%2F%20additional%20filters%20can%20be%20applied%20here%3CBR%20%2F%3E%7C%20where%20timestamp%20%26gt%3B%20start%20and%20timestamp%20%26lt%3B%20end%3CBR%20%2F%3E%7C%20where%20client_Type%20!%3D%20%22Browser%22%20%3CBR%20%2F%3E%7C%20where%20operation_Name%20%3D%3D%20%22POST%20assessmentForms%2FSaveAssessmentForm%22%20%3B%3CBR%20%2F%3Edataset%3CBR%20%2F%3E%2F%2F%20change%20'operation_Name'%20on%20the%20below%20line%20to%20segment%20by%20a%20different%20property%3CBR%20%2F%3E%7C%20summarize%20failedCount%3Dsumif(itemCount%2C%20success%20%3D%3D%20false)%2C%20totalCount%3Dsum(itemCount)%20by%20operation_Name%3CBR%20%2F%3E%2F%2F%20calculate%20failed%20request%20count%20for%20all%20requests%3C%2FPRE%3E%3CP%3EThis%20matches%20the%20results%20from%20my%20IIS%20logs%20on%20my%20web%20server.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20if%20I%20use%20the%20same%20query%20without%20the%20summarize%20line%20to%20look%20at%20the%20raw%20data%20in%20log%20analytics%20I%20only%20see%202%20errors%20from%20178%20pages.%3C%2FP%3E%3CPRE%3E%2F%2F%20failed%20request%20count%20by%20name%3CBR%20%2F%3Elet%20start%3Ddatetime(%222019-02-20T00%3A00%3A00.000Z%22)%3B%3CBR%20%2F%3Elet%20end%3Ddatetime(%222019-02-20T23%3A59%3A00.000Z%22)%3B%3CBR%20%2F%3Elet%20dataset%3Drequests%3CBR%20%2F%3E%2F%2F%20additional%20filters%20can%20be%20applied%20here%3CBR%20%2F%3E%7C%20where%20timestamp%20%26gt%3B%20start%20and%20timestamp%20%26lt%3B%20end%3CBR%20%2F%3E%7C%20where%20client_Type%20!%3D%20%22Browser%22%20%3CBR%20%2F%3E%7C%20where%20operation_Name%20%3D%3D%20%22POST%20assessmentForms%2FSaveAssessmentForm%22%20%3B%3CBR%20%2F%3Edataset%3C%2FPRE%3E%3CP%3EI%20dont%20understand%20the%20different%20results.%20What%20am%20I%20doing%20wrong%20and%20where%20is%20the%20additional%20data%20gone%20in%20the%20second%20query.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20and%20all%20the%20best%3C%2FP%3E%3CP%3ETom%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-354764%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-355354%22%20slang%3D%22en-US%22%3ERe%3A%20Incorrect%20results%20from%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-355354%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3EI%20think%20the%20differences%20comes%20from%3C%2FP%3E%0A%3CPRE%3EitemCount%3C%2FPRE%3E%0A%3CP%3Ecolumn.%20In%20that%20column%20you%20have%20different%20values.%20For%20example%20the%20value%20could%20be%201%20or%2010.%20This%20is%20caused%20by%20Telemetry%20sampling%20functionality.%20So%20the%20number%20of%20records%20in%20Application%20Insights%20does%20not%20corresponds%20exactly%20on%20total%20requests.%3C%2FP%3E%0A%3CP%3EMore%20on%20that%20here%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fapp%2Fsampling%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fapp%2Fsampling%3C%2FA%3E%3C%2FP%3E%0A%3CP%3ELet%20me%20know%20if%20that%20answers%20your%20question.%3C%2FP%3E%3C%2FLINGO-BODY%3E
thomsewe
Occasional Visitor

I am seeing two different results from the same Log Analytics data set and don't understand why.

 

We are using Log Analytics to monitor our iis web servers.

 

If I run the query below is shows I have 15 errors from 3144 pages.

// failed request count by name
let start=datetime("2019-02-20T00:00:00.000Z");
let end=datetime("2019-02-20T23:59:00.000Z");
let dataset=requests
// additional filters can be applied here
| where timestamp > start and timestamp < end
| where client_Type != "Browser"
| where operation_Name == "POST assessmentForms/SaveAssessmentForm" ;
dataset
// change 'operation_Name' on the below line to segment by a different property
| summarize failedCount=sumif(itemCount, success == false), totalCount=sum(itemCount) by operation_Name
// calculate failed request count for all requests

This matches the results from my IIS logs on my web server.

 

However if I use the same query without the summarize line to look at the raw data in log analytics I only see 2 errors from 178 pages.

// failed request count by name
let start=datetime("2019-02-20T00:00:00.000Z");
let end=datetime("2019-02-20T23:59:00.000Z");
let dataset=requests
// additional filters can be applied here
| where timestamp > start and timestamp < end
| where client_Type != "Browser"
| where operation_Name == "POST assessmentForms/SaveAssessmentForm" ;
dataset

I dont understand the different results. What am I doing wrong and where is the additional data gone in the second query.

 

Thanks and all the best

Tom

1 Reply

Hi,

I think the differences comes from

itemCount

column. In that column you have different values. For example the value could be 1 or 10. This is caused by Telemetry sampling functionality. So the number of records in Application Insights does not corresponds exactly on total requests.

More on that here:

https://docs.microsoft.com/en-us/azure/azure-monitor/app/sampling

Let me know if that answers your question.

Related Conversations
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
28 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
2 Replies
*Updated 9/3* Syncing in Microsoft Edge Preview Channels
Elliot Kirk in Articles on
203 Replies
Early preview of Microsoft Edge group policies
Sean Lyndersay in Discussions on
65 Replies