Home

Join query question.

%3CLINGO-SUB%20id%3D%22lingo-sub-286311%22%20slang%3D%22en-US%22%3EJoin%20query%20question.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-286311%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20all%2C%3C%2FP%3E%0A%3CP%3EMy%20POD%20containers%20are%20logging%20their%20state%20and%20I%20need%20to%20find%20out%20how%20long%20the%20Containers%20are%20in%20the%20%E2%80%9CWaiting%E2%80%9D%20state.%3C%2FP%3E%0A%3CP%3EConsider%20the%20below%20table%20structure%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22156%22%3E%3CP%3E%3CSTRONG%3EContainerName%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22156%22%3E%3CP%3E%3CSTRONG%3EStatus%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22192%22%3E%3CP%3E%3CSTRONG%3ETime%20Generated%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22156%22%3E%3CP%3EC1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22156%22%3E%3CP%3ERunning%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22192%22%3E%3CP%3E2018-11-13T19%3A31%3A17.000%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22156%22%3E%3CP%3EC1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22156%22%3E%3CP%3ERunning%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22192%22%3E%3CP%3E2018-11-13T19%3A32%3A17.000%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22156%22%3E%3CP%3EC2%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22156%22%3E%3CP%3ERunning%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22192%22%3E%3CP%3E2018-11-13T19%3A31%3A17.000%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22156%22%3E%3CP%3EC2%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22156%22%3E%3CP%3ERunning%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22192%22%3E%3CP%3E2018-11-13T19%3A29%3A17.000%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22156%22%3E%3CP%3EC1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22156%22%3E%3CP%3EWaiting%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22192%22%3E%3CP%3E2018-11-13T19%3A28%3A17.000%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22156%22%3E%3CP%3EC1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22156%22%3E%3CP%3EWaiting%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22192%22%3E%3CP%3E2018-11-13T19%3A29%3A17.000%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22156%22%3E%3CP%3EC2%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22156%22%3E%3CP%3EWaiting%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22192%22%3E%3CP%3E2018-11-13T19%3A25%3A17.000%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22156%22%3E%3CP%3EC2%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22156%22%3E%3CP%3EWaiting%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22192%22%3E%3CP%3E2018-11-13T19%3A26%3A17.000%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEssentially%2C%20I%20need%20to%20find%20out%20the%20difference%20between%20the%20Waiting%20%E2%80%9CTime%20generated%E2%80%9D%26nbsp%3B%20with%20the%20next%20Running%20%E2%80%9CTime%20generated%E2%80%9D%20value.%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20keep%20in%20mind%20a%20Container%20can%20be%20in%20%E2%80%9CWaiting%E2%80%9D%20state%20and%20in%20Running%20state%20in%20multiple%20times%20(within%20any%20specific%20time-range)%2C%20for%20example%3C%2FP%3E%0A%3CP%3E%5B%20t1%3AWaiting%20-%26gt%3B%20t2%3AWaiting-%26gt%3B%20t3%3ARunning%20-%26gt%3B%20t4%3ARunning%20-%26gt%3B%20t5%3ARunning%20-%26gt%3B%20t6%3AWaiting%20-%26gt%3B%20t7%3ARunning%20-%26gt%3B%20t8%3ARunning%20-%26gt%3B%20%26nbsp%3Bt9%3ARunning%20-%26gt%3B%20%26nbsp%3Bt10%3AWaiting%20%5D%2C%20here%20t1%2C%20t2%2C%20t3%20are%20time%20points.%3CBR%20%2F%3E%20How%20to%20figure%20out%20this%20as%20query.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-286311%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-288511%22%20slang%3D%22en-US%22%3ERe%3A%20Join%20query%20question.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-288511%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20sure%20which%20solution%20you%20have%20on%20boarded.%20If%20its%20ContainerInsights%20solution%20%2C%20then%20the%20Table%20you%20can%20look%20at%20is%20KubePodInventory%20Table%20instead%20of%20the%20ContainerTable%20in%20the%20query.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20is%20the%20sample%20query%20which%20you%20can%20use%20to%20calculate%26nbsp%3B%26nbsp%3Bhow%20long%20container%20in%20waiting%20state%3C%2FP%3E%0A%3CP%3EContainerTable%3CBR%20%2F%3E%7C%20where%20ContainerStatus%20%3D~%20%22waiting%22%3CBR%20%2F%3E%7C%20summarize%20arg_max(TimeGenerated%2C%20ContainerStatus)%20by%20ContainerID%20%3CBR%20%2F%3E%7C%20project%20LastWaitingTime%3D%20TimeGenerated%2C%20ContainerID%20%3CBR%20%2F%3E%7C%20join%20kind%3Dinner%20(%3CBR%20%2F%3E%20ContainerTable%3CBR%20%2F%3E%7C%20where%20ContainerStatus%20%3D~%20%22running%22%3CBR%20%2F%3E%7C%20summarize%20arg_max(TimeGenerated%2C%20ContainerStatus)%20by%20ContainerID%20%3CBR%20%2F%3E%7C%20project%20LastRunningTime%3D%20TimeGenerated%2C%20ContainerID%20%3CBR%20%2F%3E)%20on%20ContainerID%3CBR%20%2F%3E%7C%20project%20ContainerID%2C%20LastRunningTime%2C%20LastWaitingTime%2C%20TotalWaitTime%20%3D%20(LastWaitingTime%20-%20LastRunningTime)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20feel%20free%20to%20ping%20me%20if%20you%20need%20any%20further%20help%20on%20this.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-288502%22%20slang%3D%22en-US%22%3ERe%3A%20Join%20query%20question.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-288502%22%20slang%3D%22en-US%22%3EAdding%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F176204%22%20target%3D%22_blank%22%3E%40Keiko%20Harada%3C%2FA%3E%3CBR%20%2F%3EAre%20you%20using%20AKS%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-288398%22%20slang%3D%22en-US%22%3ERe%3A%20Join%20query%20question.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-288398%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3EThere%20are%20various%20ways%20to%20approach%20this%2C%20%3CA%20href%3D%22https%3A%2F%2Fportal.loganalytics.io%2FDemo%3Fq%3DH4sIAAAAAAAAA51Ty2rDMBC8G%252FwPW18SgV28cl4W%252BJRD722gh1KCEiuJwZWLLPcB%252FfiuG9exk0NTIxDS7syOdlil0tLa5ArGy0JbmWllRGlNpvc%252BPFCuKtvrKntRd4oA0qpUpLRbijDXeXIdAG%252BJng%252FefaU1oen4CxiPeIiLADHAaIWx4HOBs9swDEfM%252Fxcx4gLnPSK%252FkogCw0vio8zsH0%252BNzxXxSuJC4GQQkRSnQ4hRKDAe1ONUIB%252FiKp91XX12nS8oC2Nh8wntKIEst2eDU4dqrPqwSqfNjK23B6n3lEw6cwg3Cbwa9XaKMChMw2iTxytjdc33gzLqomQC1lSqo9mYsq67IsVst2uqJEnbN0gCdgUodzLTFsdPMe61FvzgeyHGyEtd5bnHnG9dnSfMbAMAAA%253D%253D%26amp%3Btimespan%3DP1D%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E's%20one%20example%3A%3C%2FP%3E%0A%3CPRE%3Edatatable%20(Container%3Astring%2C%20Status%3Astring%2C%20TimeGenerated%3Adatetime)%0A%5B%0A%20%20%22C1%22%2C%20%22Running%22%2C%20datetime('2018-11-13T19%3A27%3A16.000')%2C%0A%20%20%22C1%22%2C%20%22Running%22%2C%20datetime('2018-11-13T19%3A32%3A17.000')%2C%0A%20%20%22C2%22%2C%20%22Running%22%2C%20datetime('2018-11-13T19%3A31%3A10.000')%2C%0A%20%20%22C2%22%2C%20%22Waiting%22%2C%20datetime('2018-11-13T19%3A29%3A17.000')%2C%0A%20%20%22C1%22%2C%20%22Waiting%22%2C%20datetime('2018-11-13T19%3A28%3A14.000')%2C%0A%20%20%22C1%22%2C%20%22Waiting%22%2C%20datetime('2018-11-13T19%3A29%3A15.000')%2C%0A%20%20%22C1%22%2C%20%22Waiting%22%2C%20datetime('2018-11-13T19%3A30%3A19.000')%2C%0A%20%20%22C2%22%2C%20%22Waiting%22%2C%20datetime('2018-11-13T19%3A25%3A12.000')%2C%0A%20%20%22C2%22%2C%20%22Running%22%2C%20datetime('2018-11-13T19%3A26%3A10.000')%2C%0A%5D%0A%7C%20sort%20by%20Container%20asc%2C%20TimeGenerated%20asc%0A%7C%20extend%20Status_changed%20%3D%20(Container%20!%3D%20prev(Container)%20or%20Status%20!%3D%20prev(Status))%0A%7C%20where%20Status_changed%20%3D%3D%20true%0A%7C%20extend%20Waiting_time%20%3D%20iff(Status%3D%3D%22Running%22%20and%20prev(Status)%3D%3D%22Waiting%22%2C%20tostring(TimeGenerated-prev(TimeGenerated))%2C%20%22null%22)%3C%2FPRE%3E%0A%3CP%3EI've%20created%20a%20data%20table%20with%20records%20similar%20to%20what%20you%20suggest%20(not%20exactly%20the%20same).%3C%2FP%3E%0A%3CP%3EFirst%26nbsp%3B%20-%20I%20sort%20the%20data%20by%20container%20and%20time%20of%20event.%3C%2FP%3E%0A%3CP%3EThen%20-%20I%20calculate%20whether%20a%20row%20indicated%20a%20change%20in%20status%20for%20this%20specific%20container%20(from%20waiting%20to%20running%20or%20the%20other%20way).%3C%2FP%3E%0A%3CP%3EI%20then%20keep%20only%20the%20records%20in%20which%20the%20status%20has%20changed%20-%20the%20others%20aren't%20needed%20for%20the%20calculation%20of%20waiting%20time.%3C%2FP%3E%0A%3CP%3EFinally%20-%20I%20calculate%20the%20duration%20from%20the%20most%20recent%20waiting%20period%2C%20until%20the%20current%20running%20period.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHTH%2C%3C%2FP%3E%0A%3CP%3ENoa%3C%2FP%3E%3C%2FLINGO-BODY%3E
Gautam Moulik
Microsoft

Hello all,

My POD containers are logging their state and I need to find out how long the Containers are in the “Waiting” state.

Consider the below table structure 

ContainerName

Status

Time Generated

C1

Running

2018-11-13T19:31:17.000

C1

Running

2018-11-13T19:32:17.000

C2

Running

2018-11-13T19:31:17.000

C2

Running

2018-11-13T19:29:17.000

C1

Waiting

2018-11-13T19:28:17.000

C1

Waiting

2018-11-13T19:29:17.000

C2

Waiting

2018-11-13T19:25:17.000

C2

Waiting

2018-11-13T19:26:17.000

 

Essentially, I need to find out the difference between the Waiting “Time generated”  with the next Running “Time generated” value.   

Please keep in mind a Container can be in “Waiting” state and in Running state in multiple times (within any specific time-range), for example

[ t1:Waiting -> t2:Waiting-> t3:Running -> t4:Running -> t5:Running -> t6:Waiting -> t7:Running -> t8:Running ->  t9:Running ->  t10:Waiting ], here t1, t2, t3 are time points.
How to figure out this as query.

Thanks,

3 Replies

Hi,

There are various ways to approach this, here's one example:

datatable (Container:string, Status:string, TimeGenerated:datetime)
[
  "C1", "Running", datetime('2018-11-13T19:27:16.000'),
  "C1", "Running", datetime('2018-11-13T19:32:17.000'),
  "C2", "Running", datetime('2018-11-13T19:31:10.000'),
  "C2", "Waiting", datetime('2018-11-13T19:29:17.000'),
  "C1", "Waiting", datetime('2018-11-13T19:28:14.000'),
  "C1", "Waiting", datetime('2018-11-13T19:29:15.000'),
  "C1", "Waiting", datetime('2018-11-13T19:30:19.000'),
  "C2", "Waiting", datetime('2018-11-13T19:25:12.000'),
  "C2", "Running", datetime('2018-11-13T19:26:10.000'),
]
| sort by Container asc, TimeGenerated asc
| extend Status_changed = (Container != prev(Container) or Status != prev(Status))
| where Status_changed == true
| extend Waiting_time = iff(Status=="Running" and prev(Status)=="Waiting", tostring(TimeGenerated-prev(TimeGenerated)), "null")

I've created a data table with records similar to what you suggest (not exactly the same).

First  - I sort the data by container and time of event.

Then - I calculate whether a row indicated a change in status for this specific container (from waiting to running or the other way).

I then keep only the records in which the status has changed - the others aren't needed for the calculation of waiting time.

Finally - I calculate the duration from the most recent waiting period, until the current running period.

 

HTH,

Noa

Adding @Keiko Harada
Are you using AKS?

Not sure which solution you have on boarded. If its ContainerInsights solution , then the Table you can look at is KubePodInventory Table instead of the ContainerTable in the query. 

 

Here is the sample query which you can use to calculate  how long container in waiting state

ContainerTable
| where ContainerStatus =~ "waiting"
| summarize arg_max(TimeGenerated, ContainerStatus) by ContainerID
| project LastWaitingTime= TimeGenerated, ContainerID
| join kind=inner (
ContainerTable
| where ContainerStatus =~ "running"
| summarize arg_max(TimeGenerated, ContainerStatus) by ContainerID
| project LastRunningTime= TimeGenerated, ContainerID
) on ContainerID
| project ContainerID, LastRunningTime, LastWaitingTime, TotalWaitTime = (LastWaitingTime - LastRunningTime)

 

Please feel free to ping me if you need any further help on this.

 

 

 

 

 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies