Yes, you can do it this way.

Note that I used join kind "fullouter" to includes all records, while the default join behavior is to show only records that match and exists on both left and right tables.

Thank you for all your help.

What is the project-away cmlet?

Thank you!

project-away actually excludes field from the results. After join, fields that have the same name in both table (such as the field you join on) are shown as "Fieldname" and "Fieldname1". If you want remove one of them from the result set, project-away is the easiest way.

Hi Noa,

Is it in some way possible to use a matcher like contains or has in place of in?

...

Hi Henrik,

To check if a string contain any of a given list of values, you'd need to a evaluation each value separately, like this:

Perf 
| where CounterName contains "% Committed" 
or CounterName contains "% Used Mem" 
or CounterName contains "% Proc"
| summarize AggregatedValue = avg(CounterValue) by Computer, CounterName 

The only string operator that accepts a list of values is "in". See the full list of string operators here.

Regards,

Noa

There is no Performance counter called % Used Memory in windows..I am also trying to find out how to get the Percentage of Memory used within  12 hours time...slice window of 1 hour  .Please let me know if anyone has the query for this

Thanks

R

---

@Noa Kuperberg wrote:

Hi Henrik,

To check if a string contain any of a given list of values, you'd need to a evaluation each value separately, like this:

Perf 
| where CounterName contains "% Committed" 
or CounterName contains "% Used Mem" 
or CounterName contains "% Proc"
| summarize AggregatedValue = avg(CounterValue) by Computer, CounterName 

The only string operator that accepts a list of values is "in". See the full list of string operators here.

 

Regards,

Noa

---

@Noa Kuperberg wrote:

Hi Henrik,

To check if a string contain any of a given list of values, you'd need to a evaluation each value separately, like this:

Perf 
| where CounterName contains "% Committed" 
or CounterName contains "% Used Mem" 
or CounterName contains "% Proc"
| summarize AggregatedValue = avg(CounterValue) by Computer, CounterName 

The only string operator that accepts a list of values is "in". See the full list of string operators here.

 

Regards,

Noa

---

---

@RagSaw 

You need a way to identify the servers by their type,  here I'm using the computer name in a few ways (just to show some of the options you can use), to find the computer type and then assign a value and a default value.  You may have another identifier other than computer name, but you can use a "case" on that data, like this example:

Perf
| where TimeGenerated > ago(1h) 
| summarize by Computer, CounterName, CounterValue
| extend groupThreshold_ = case
                            (
                                Computer startswith "THAM", 10,
                                Computer endswith   "01",70,
                                Computer has        "aks",60,
                                Computer contains   "RDS",65,                       
                                //else use default value
                            50
                            )
| where CounterName == "% Committed Bytes In Use"
| summarize avg = avg(CounterValue) by Computer, groupThreshold_
| where avg > groupThreshold_