Azure log analytics timechart with multiple dimensions

%3CLINGO-SUB%20id%3D%22lingo-sub-108245%22%20slang%3D%22en-US%22%3EAzure%20log%20analytics%20timechart%20with%20multiple%20dimensions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-108245%22%20slang%3D%22en-US%22%3E%3CP%3EFollowing%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.loganalytics.io%2Fdocs%2FLearn%2FTutorials%2FCharts-and-diagrams%23multiple-dimensions%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noreferrer%20noopener%22%3Emultiple%20dimensions%20documentation%20example%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eit%20says%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3EMultiple%20expressions%20in%20the%20by%20clause%20creates%20multiple%20rows%2C%20one%20for%20each%20combination%20of%20values.%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%3CSTRONG%3EI%20want%20to%20query%20their%20sample%20database%20for%20networks%20bytes%20Send%20and%20Received%20per%20each%20computer%3C%2FSTRONG%3E.%20Starting%20with%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fportal.loganalytics.io%2Fdemo%3Fq%3DH4sIAAAAAAAAA1WOuwqDQBREe79iEAIKW2jAIoVpUqQLFpJ%252B1YkK7m64u%252BZFPj4PQsB6zjlMRTlFT1wHClGPhntaig7ssIXuXZJ3Kf7Azs02UA7aEGWJeIVKXEvvnXzl%252BIP62Rgt44PQlz75KUc9zUwVzpSWNowT%252FWJSKDKFTZECzR3NaJPFGYV8SN9t3gJth3oQ%252BsFNHUqss%252BgF6bL7icUAAAA%253D%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noreferrer%20noopener%22%3Ethis%20query%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eit%20should%20be%20something%20like%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPerf%20%7C%20where%20TimeGenerated%20%26gt%3B%20ago(1d)%20%7C%20where%20(CounterName%20%3D%3D%20%22Bytes%20Received%2Fsec%22%20or%20CounterName%20%3D%3D%20%22Bytes%20Sent%2Fsec%22)%20%7C%20summarize%20avg(CounterValue)%20by%20bin(TimeGenerated%2C%201h)%2C%20Computer%2C%20CounterName%20%7C%20extend%20Threshold%20%3D%2020%20%7C%20render%20timechart%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20problem%20is%20that%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ESend%20and%20Received%20bytes%20gets%20grouped%20in%20the%20graph%20at%20computer%20level%20%3C%2FSTRONG%3Ewhich%20doesn't%20make%20any%20sense.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20multiple%20dimensions%20be%20represented%20as%20stated%20in%20the%20documentation%20so%20that%20I%20have%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3EComputer%20X%20Bytes%20Send%3C%2FEM%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3EComputer%20X%20Bytes%20Received%3C%2FEM%3E.%20As%20a%20note%20this%20was%20perfectly%20doable%20in%20the%20previous%20version.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-108245%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-108837%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20log%20analytics%20timechart%20with%20multiple%20dimensions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-108837%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20you%20please%20share%20how%20did%20you%20achieve%20this%20in%20the%20v1%20version%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-108262%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20log%20analytics%20timechart%20with%20multiple%20dimensions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-108262%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20as%20clean%20as%20I%20would%20like%20but%20I%20have%20figured%20out%20that%20a%26nbsp%3Bstring%20concatenation%20would%20do%20the%20trick%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EPerf%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E(CounterName%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E%22Bytes%20Received%2Fsec%22%3C%2FSPAN%3E%3CSPAN%3Eor%3C%2FSPAN%3E%3CSPAN%3ECounterName%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E%22Bytes%20Sent%2Fsec%22%3C%2FSPAN%3E%3CSPAN%3E)%20%3C%2FSPAN%3E%3CSPAN%3Eand%3C%2FSPAN%3E%3CSPAN%3EInstanceName%20%3C%2FSPAN%3E%3CSPAN%3Ematches%3C%2FSPAN%3E%3CSPAN%3Eregex%3C%2FSPAN%3E%3CSPAN%3E%22%5EMicrosoft%20Hyper-V%20Network%20Adapter.*%24%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Esummarize%3C%2FSPAN%3E%3CSPAN%3Eavg(CounterValue)%20%3C%2FSPAN%3E%3CSPAN%3Eby%3C%2FSPAN%3E%3CSTRONG%3Estrcat(Computer%2C%20%22%20%22%3C%2FSTRONG%3E%3CSPAN%3E%3CSTRONG%3E%2C%20CounterName)%3C%2FSTRONG%3E%2C%20bin(TimeGenerated%2C%20%3C%2FSPAN%3E%3CSPAN%3E10%3C%2FSPAN%3E%3CSPAN%3Es)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Erender%3C%2FSPAN%3E%3CSPAN%3E%20timechart%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
New Contributor

Following the multiple dimensions documentation example it says

Multiple expressions in the by clause creates multiple rows, one for each combination of values.

I want to query their sample database for networks bytes Send and Received per each computer. Starting with this query it should be something like

 

Perf | where TimeGenerated > ago(1d) | where (CounterName == "Bytes Received/sec" or CounterName == "Bytes Sent/sec") | summarize avg(CounterValue) by bin(TimeGenerated, 1h), Computer, CounterName | extend Threshold = 20 | render timechart

 

The problem is that Send and Received bytes gets grouped in the graph at computer level which doesn't make any sense.

 

How can multiple dimensions be represented as stated in the documentation so that I have Computer X Bytes Send and Computer X Bytes Received. As a note this was perfectly doable in the previous version.

2 Replies

Not as clean as I would like but I have figured out that a string concatenation would do the trick

 

Perf
| where (CounterName == "Bytes Received/sec" or CounterName == "Bytes Sent/sec") and InstanceName matches regex "^Microsoft Hyper-V Network Adapter.*$"
| summarize avg(CounterValue) by strcat(Computer, " ", CounterName), bin(TimeGenerated, 10s)
| render timechart

Can you please share how did you achieve this in the v1 version ?