cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Home

'summarize' operator: Failed to resolve scalar expression named 'TimeGenerated'

%3CLINGO-SUB%20id%3D%22lingo-sub-225062%22%20slang%3D%22en-US%22%3E'summarize'%20operator%3A%20Failed%20to%20resolve%20scalar%20expression%20named%20'TimeGenerated'%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-225062%22%20slang%3D%22en-US%22%3E%3CDIV%3EI%20got%26nbsp%3Bthe%20error%20as%20title%2C%20when%20execute%20below%20query%2C%20anyone%20know%20about%20this%3F%3C%2FDIV%3E%0A%3CDIV%3Elet%20containerNames%20%3D%20Perf%20%3CBR%20%2F%3E%7C%20where%20InstanceName%20like%20'shenzhou-tts-829bbd20-3e9e-43a0-a7d7-35252d5ef498'%3CBR%20%2F%3E%7C%20where%20ObjectName%20%3D%3D%20'K8SContainer'%3CBR%20%2F%3E%7C%20where%20CounterName%20%3D%3D%20%22memoryRssBytes%22%3CBR%20%2F%3E%7C%20distinct%20InstanceName%3B%3CBR%20%2F%3EcontainerNames%3CBR%20%2F%3E%7C%20join%20(%3CBR%20%2F%3EPerf%3CBR%20%2F%3E)%20on%20InstanceName%3CBR%20%2F%3E%7C%20where%20CounterName%20%3D%3D%20%22memoryRssBytes%22%3CBR%20%2F%3E%7C%20extend%20usage%20%3D%20tolong(CounterValue)%3CBR%20%2F%3E%7C%20summarize%20max(usage)%20by%20InstanceName%2C%20Computer%3CBR%20%2F%3E%7C%20extend%20maxUsageMB%20%3D%20max_usage%20*%201.0%2F(1024*1024)%3CBR%20%2F%3E%7C%20summarize%20sum(maxUsageMB)%20by%20Computer%2C%20bin(%3CU%3ETimeGenerated%3C%2FU%3E%2C%202h)%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-225062%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-227476%22%20slang%3D%22en-US%22%3ERe%3A%20'summarize'%20operator%3A%20Failed%20to%20resolve%20scalar%20expression%20named%20'TimeGenerated'%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-227476%22%20slang%3D%22en-US%22%3Ecool%2C%20thanks!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-225090%22%20slang%3D%22en-US%22%3ERe%3A%20'summarize'%20operator%3A%20Failed%20to%20resolve%20scalar%20expression%20named%20'TimeGenerated'%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-225090%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Dapeng%20Li%2C%3C%2FP%3E%0A%3CP%3EPut%20shortly%20-%20once%20you%20apply%20the%20first%20%60summarize%60%20by%20instance%20name%20and%20computer%2C%20you%20lose%20the%20TimeGenerated%20column.%20I%20suggest%20you%20add%20the%20%22bin%22%20you%20use%20on%20the%20second%20%60summarize%60%20to%20the%20first%20one.%3C%2FP%3E%0A%3CP%3EAdditionally%2C%20when%20you%20use%20%22join%22%20you%20might%20over-complicate%20the%20query%2C%20and%20make%20it%20less%20efficient.%3C%2FP%3E%0A%3CP%3EI%20suggest%20the%20%3CA%20href%3D%22https%3A%2F%2Fportal.loganalytics.io%2FDemo%3Fq%3DH4sIAAAAAAAAA5WPW0%252BDMBTH35fsO5zshbKAbqzAiOFlezDGeIm391KOW5UWQ0scxg9vgZnJEmN8aU5zfv%252FLKdAAL5VhQmF1zSRqSOEWq2cYjz7hfYsVwoXShimO7RoK8YrgIA3iYBHFfhjR0Kecop9w%252B11kMc3ChEXJMnAODjfZC3LT6dMUnMvl%252Ffo78we1Lmtl%252BhYtNpEoy6q503rVGNSTFsyFNkJxM%252Bh0Nh61jX8pLBSQ4YXuvyJxZ1DlUGu2sQyYsijVhuyFT6yo0T3GrlYW7AVTmJ%252FMTsl8FtBp%252B3SsrqVklfhAkGz32CtSO5K92oWsGRzh2aLyrbaBHmRCkQch8RztPcxg7kGwPbK1EzlYd3Z%252FGXwB35pjPQkCAAA%253D%26amp%3Btimespan%3DP1D%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Efollowing%20query%3C%2FA%3E%20(changed%20the%20first%20string%20to%20match%20our%20demo%20data)%3C%2FP%3E%0A%3CPRE%3Elet%20containerNames%20%3D%20Perf%20%0A%7C%20where%20InstanceName%20like%20'e4272367-5645-4c4e-9c67-3b74b59a6982'%0A%7C%20where%20ObjectName%20%3D%3D%20'K8SContainer'%0A%7C%20where%20CounterName%20%3D%3D%20%22memoryRssBytes%22%0A%7C%20distinct%20InstanceName%3B%0APerf%0A%7C%20where%20InstanceName%20in%20(containerNames)%0A%7C%20where%20CounterName%20%3D%3D%20%22memoryRssBytes%22%0A%7C%20extend%20usage%20%3D%20tolong(CounterValue)%0A%7C%20extend%20usageMB%20%3D%20usage%20*%201.0%2F(1024*1024)%0A%7C%20summarize%20maxUsageMB%3Dmax(usageMB)%20by%20InstanceName%2C%20Computer%2C%20bin(TimeGenerated%2C%202h)%0A%7C%20summarize%20sum(maxUsageMB)%20by%20Computer%2C%20bin(TimeGenerated%2C%202h)%3C%2FPRE%3E%0A%3CP%3EHTH%2C%3C%2FP%3E%0A%3CP%3ENoa%3C%2FP%3E%3C%2FLINGO-BODY%3E
Dapeng Li
Dapeng Li
Microsoft

‎08-07-2018 01:04 AM

‎08-07-2018 01:04 AM

'summarize' operator: Failed to resolve scalar expression named 'TimeGenerated'

I got the error as title, when execute below query, anyone know about this?
let containerNames = Perf
| where InstanceName like 'shenzhou-tts-829bbd20-3e9e-43a0-a7d7-35252d5ef498'
| where ObjectName == 'K8SContainer'
| where CounterName == "memoryRssBytes"
| distinct InstanceName;
containerNames
| join (
Perf
) on InstanceName
| where CounterName == "memoryRssBytes"
| extend usage = tolong(CounterValue)
| summarize max(usage) by InstanceName, Computer
| extend maxUsageMB = max_usage * 1.0/(1024*1024)
| summarize sum(maxUsageMB) by Computer, bin(TimeGenerated, 2h)
 
5,125 Views
0 Likes
2 Replies
Reply
2 Replies
Noa Kuperberg

‎08-07-2018 02:46 AM - edited ‎08-07-2018 02:48 AM

‎08-07-2018 02:46 AM - edited ‎08-07-2018 02:48 AM

Solution

Re: 'summarize' operator: Failed to resolve scalar expression named 'TimeGenerated'

Hi Dapeng Li,

Put shortly - once you apply the first `summarize` by instance name and computer, you lose the TimeGenerated column. I suggest you add the "bin" you use on the second `summarize` to the first one.

Additionally, when you use "join" you might over-complicate the query, and make it less efficient.

I suggest the following query (changed the first string to match our demo data)

let containerNames = Perf 
| where InstanceName like 'e4272367-5645-4c4e-9c67-3b74b59a6982'
| where ObjectName == 'K8SContainer'
| where CounterName == "memoryRssBytes"
| distinct InstanceName;
Perf
| where InstanceName in (containerNames)
| where CounterName == "memoryRssBytes"
| extend usage = tolong(CounterValue)
| extend usageMB = usage * 1.0/(1024*1024)
| summarize maxUsageMB=max(usageMB) by InstanceName, Computer, bin(TimeGenerated, 2h)
| summarize sum(maxUsageMB) by Computer, bin(TimeGenerated, 2h)

HTH,

Noa

Best Response confirmed by Dapeng Li (Microsoft)
1 Like
Reply
Dapeng Li

‎08-12-2018 06:40 PM

‎08-12-2018 06:40 PM

Re: 'summarize' operator: Failed to resolve scalar expression named 'TimeGenerated'

cool, thanks!
0 Likes
Reply
Related Conversations
Tabs and Dark Mode
 cjc2112 in Discussions on 09-18-2019
46 Replies
Extentions Synchronization
 Deleted in Discussions on 11-13-2019
3 Replies
Stable version of Edge insider browser
 HotCakeX in Discussions on 10-12-2019
35 Replies
How to Prevent Teams from Auto-Launch
 chenrylee in Microsoft Teams on 06-27-2019
30 Replies
flashing a white screen while open new tab
 Deleted in Discussions on 10-05-2019
14 Replies
Security Community Webinars
 Valon_Kolica in Security, Privacy & Compliance on 10-22-2019
13 Replies