SOLVED

Group similar Process name in LogsAnalytics

%3CLINGO-SUB%20id%3D%22lingo-sub-1171175%22%20slang%3D%22en-US%22%3EGroup%20similar%20Process%20name%20in%20LogsAnalytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1171175%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20I%20am%20looking%20for%20a%20query%20where%20I%20can%20get%20%25%20Process%20CPU%20for%20specific%20Process.%20My%20main%20concern%20is%20that%20I%20would%20like%20to%20group%20some%20of%20them.%3C%2FP%3E%3CP%3EFor%20instance%3A%3C%2FP%3E%3CP%3E%22ZSAService%22%2C%20%22ZSATunnel%22%20and%20%22ZSATray%22%20sould%20all%20been%20group%20under%20ZScaler%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20current%20query%20%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EPerf%0A%7C%20where%20Computer%20contains%20%22sl2%22%0A%7C%20where%20ObjectName%20%3D%3D%20%22Process%22%20and%20CounterName%20%3D%3D%20%22%25%20Processor%20Time%22%0A%7C%20where%20(InstanceName%20contains%20%22Sysmon%22%20or%20%20InstanceName%20contains%20%22CSFalconSer%22%20%20or%20%20InstanceName%20contains%20%22ZSA%22%20)%0A%7C%20summarize%20avg(CounterValue)%20by%20InstanceName%2C%20bin(TimeGenerated%2C%201d)%0A%7C%20render%20timechart%20title%20%3D%20%22%25%20CPU%20SECURITE%22%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3Band%20the%20current%20result%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%222020-02-13_02-49-18.gif%22%20style%3D%22width%3A%20912px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F171038i5996F17A1DD3C067%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%222020-02-13_02-49-18.gif%22%20alt%3D%222020-02-13_02-49-18.gif%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1171175%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMachine%20Learning%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EView%20Designer%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1172670%22%20slang%3D%22en-US%22%3ERe%3A%20Group%20similar%20Process%20name%20in%20LogsAnalytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1172670%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F555969%22%20target%3D%22_blank%22%3E%40SebasL%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20wanted%20two%20groups%20(ZSA%20and%20non-ZSA)%20that%20would%20be%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3EPerf%0A%7C%20where%20Computer%20contains%20%22sl2%22%0A%7C%20where%20ObjectName%20%3D%3D%20%22Process%22%20and%20CounterName%20%3D%3D%20%22%25%20Processor%20Time%22%0A%7C%20where%20(InstanceName%20contains%20%22Sysmon%22%20or%20%20InstanceName%20contains%20%22CSFalconSer%22%20%20or%20%20InstanceName%20contains%20%22ZSA%22%20)%0A%7C%20summarize%20Zscaler%20%20%20%20%3D%20avgif(CounterValue%2C%20InstanceName%20startswith%20%20%22ZSA%22)%0A%20%20%20%20%20%20%20%20%20%20%20%20%2CtheOthers%20%3D%20avgif(CounterValue%2C%20InstanceName%20!startswith%20%22ZSA%22)%0A%20%20%20%20%20%20%20%20%20by%20%20bin(TimeGenerated%2C%201d)%0A%7C%20render%20timechart%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI'll%20need%20to%20think%20more%20about%20this%2C%20unless%20anyone%20else%20has%20an%20idea%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1173823%22%20slang%3D%22en-US%22%3ERe%3A%20Group%20similar%20Process%20name%20in%20LogsAnalytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1173823%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%2C%20that's%20do%20it!%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi, I am looking for a query where I can get % Process CPU for specific Process. My main concern is that I would like to group some of them.

For instance:

"ZSAService", "ZSATunnel" and "ZSATray" sould all been group under ZScaler

 

My current query :

Perf
| where Computer contains "sl2"
| where ObjectName == "Process" and CounterName == "% Processor Time"
| where (InstanceName contains "Sysmon" or  InstanceName contains "CSFalconSer"  or  InstanceName contains "ZSA" )
| summarize avg(CounterValue) by InstanceName, bin(TimeGenerated, 1d)
| render timechart title = "% CPU SECURITE"

 and the current result:

2020-02-13_02-49-18.gif

2 Replies
Highlighted
Solution

@SebasL 

 

If you wanted two groups (ZSA and non-ZSA) that would be:

 

 

Perf
| where Computer contains "sl2"
| where ObjectName == "Process" and CounterName == "% Processor Time"
| where (InstanceName contains "Sysmon" or  InstanceName contains "CSFalconSer"  or  InstanceName contains "ZSA" )
| summarize Zscaler    = avgif(CounterValue, InstanceName startswith  "ZSA")
            ,theOthers = avgif(CounterValue, InstanceName !startswith "ZSA")
         by  bin(TimeGenerated, 1d)
| render timechart 

 

I'll need to think more about this, unless anyone else has an idea?

 

Thanks 

 

Highlighted

@Clive Watson 

 

Many thanks, that's do it! :smile: