Nov 21 2019
11:28 AM
- last edited on
Apr 08 2022
10:12 AM
by
TechCommunityAP
Nov 21 2019
11:28 AM
- last edited on
Apr 08 2022
10:12 AM
by
TechCommunityAP
Greetings community!
I'm using the following query to keep a close eye on my top tables in Log Analytics:
search *
| summarize count() by $table
| project Table=$table, Count=count_
| top 5 by Count
This is great, but I'd also like to track the growth on a day-to-day basis so that I can graph it and catch when there is a big jump in consumption. Any ideas?
Thanks!
Nov 21 2019 11:45 PM
Bookmarking this interesting ask as I have also no idea how to use date diff in let.
Nov 22 2019 01:10 AM
union withsource = tt *
| where TimeGenerated >= ago(31d)
| summarize count() by bin(TimeGenerated,1d), Source=tt
| render timechart title = "Monthly growth"
Go to Log Analytics and Run Query
Nov 22 2019 06:17 AM
@CliveWatson Sir,
This is might be a silly question but what is the meaning of this line [
Nov 22 2019 07:16 AM
https://docs.microsoft.com/en-us/azure/kusto/query/unionoperator
In simple terms as we are looking at multiple tables with the (*) wildcard - its assigning the name of each Table to "tt"
"withsource
=ColumnName: If specified, the output will include a column called ColumnName whose value indicates which source table has contributed each row. If the query effectively (after wildcard matching) references tables from more than one database (default database always counts) the value of this column will have a table name qualified with the database. Similarly cluster and database qualifications will be present in the value if more than one cluster is referenced."
So I could have changed it to "athing" instead, but not to any reserved keywords like "Source" - hence mapping it back to Source at the end with Source=athing
I only tend to use "tt" as that was the example in the docs when I first learnt about it :)