SOLVED

'DnsEvents | summarize by ClientIP, TimeGenerated' doesn't return expected result

%3CLINGO-SUB%20id%3D%22lingo-sub-189681%22%20slang%3D%22en-US%22%3E'DnsEvents%20%7C%20summarize%20by%20ClientIP%2C%20TimeGenerated'%20doesn't%20return%20expected%20result%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-189681%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20I%20execute%20the%20following%20query%20on%20the%20demo%20portal%3A%3C%2FP%3E%3CP%3EDnsEvents%26nbsp%3B%3C%2FP%3E%3CP%3E%7C%20summarize%20by%20ClientIP%2C%20TimeGenerated%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20doesn't%20return%20what%20I%20expect.%26nbsp%3B%20It%20seems%20the%20TimeGenerated%20is%20rounded%20to%20the%20nearest%20hour%20and%20all%20sub-hour%20records%20are%20filtered..%26nbsp%3B%20It's%20as%20if%20there%20was%20a%20hypothetical%20startofhour%20function%20applied%20to%20TimeGenerated.%26nbsp%3B%20Is%20this%20expected%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-189681%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-190610%22%20slang%3D%22en-US%22%3ERe%3A%20'DnsEvents%20%7C%20summarize%20by%20ClientIP%2C%20TimeGenerated'%20doesn't%20return%20expected%20result%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-190610%22%20slang%3D%22en-US%22%3E%3CP%3EAh%2C%20Thanks%20explicitly%20calling%20bin%20makes%20more%20sense.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-190228%22%20slang%3D%22en-US%22%3ERe%3A%20'DnsEvents%20%7C%20summarize%20by%20ClientIP%2C%20TimeGenerated'%20doesn't%20return%20expected%20result%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-190228%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EHere%20is%20a%20more%20compact%20way%20to%20write%20the%20first%20query%3A%3CBR%20%2F%3EPageViews%20%7C%20summarize%20count()%20by%20bin(Timestamp%2C1d)%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20can%20also%20do%201%20hour%20binning%20using%20bin(Timestamp%2C1h).%3CBR%20%2F%3EYou%20can%20see%20all%20details%20on%20the%20bin%20functions%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.loganalytics.io%2Fdocs%2FLanguage-Reference%2FScalar-functions%2Fbin%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.loganalytics.io%2Fdocs%2FLanguage-Reference%2FScalar-functions%2Fbin%3C%2FA%3E()%3CBR%20%2F%3EThere%20are%20additional%20options%20for%20more%20advanced%20scenarios.%20For%20example%2C%20see%20this%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.loganalytics.io%2Fdocs%2FLanguage-Reference%2FScalar-functions%2Fbin_at%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.loganalytics.io%2Fdocs%2FLanguage-Reference%2FScalar-functions%2Fbin_at%3C%2FA%3E()%3CBR%20%2F%3E%3CBR%20%2F%3EYour%20feedback%20on%20the%20confusion%20is%20good.%20This%20is%20why%20we%20think%20to%20eliminate%20the%20auto-binning%20functionality.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-190164%22%20slang%3D%22en-US%22%3ERE%3A%20'DnsEvents%20%7C%20summarize%20by%20ClientIP%2C%20TimeGenerated'%20doesn't%20return%20expected%20result%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-190164%22%20slang%3D%22en-US%22%3EThanks%20for%20the%20response.%20That%20makes%20sense.%20I'm%20just%20trying%20to%20understand%20Log%20Analytics%20and%20was%20reading%20through%20the%20docs%20on%20Materialize.%20There%20is%20a%20query%20that%20has%20a%20let%20assignment%3A%20let%20totalPagesPerDay%20%3D%20PageViews%20%7C%20summarize%20by%20Page%2C%20Day%20%3D%20startofday(Timestamp)%20%7C%20summarize%20count()%20by%20Day%3B%20This%20basically%20bins%20the%20PageViews%20by%20day%20(%3F)%20and%20was%20wondering%20if%20I%20could%20bin%20them%20by%20hour.%20Playing%20with%20DnsEvents%20I%20stumbled%20across%20this%20behavior%20and%20was%20thinking%20if%20I%20can't%20understand%20a%20fundamental%20query%20like%20this%20I%20must%20be%20missing%20something.%20Sorry%20if%20the%20question%20was%20off%20base.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-189948%22%20slang%3D%22en-US%22%3ERe%3A%20'DnsEvents%20%7C%20summarize%20by%20ClientIP%2C%20TimeGenerated'%20doesn't%20return%20expected%20result%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-189948%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20expected.%20It%20is%20a%20failsafe%20functionality%20in%20the%20system%20to%20protect%20it%20from%20returning%20huge%20amounts%20of%20records%20which%20will%20be%20the%20situation%20if%20we%20would%20have%20return%20every%20TimeGenerated%20in%20accuracy%20of%20a%20millisecond.%20It%20automatically%20use%201%20hour%20binning.%3C%2FP%3E%0A%3CP%3EWe%20are%20evaluating%20this%20failsafe%20mechanism%20and%20consider%20if%20it%20worth%20keeping%20it.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20want%20control%20over%20the%20binning%20period%2C%20you%20can%20use%20the%20bin%20function.%20This%20query%20does%20the%20same%20but%20use%20a%201%20minute%20binning%20instead%20of%20the%201%20hour%20binning%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3EDnsEvents%20%7C%20%3C%2FSPAN%3E%3CSPAN%3Esummarize%3C%2FSPAN%3E%20%3CSPAN%3Ecount%3C%2FSPAN%3E%3CSPAN%3E()%20%3C%2FSPAN%3E%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3E%20ClientIP%2C%20bin(TimeGenerated%2C%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3Em)%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3EMeir%20%3A%26gt%3B%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-189894%22%20slang%3D%22en-US%22%3ERe%3A%20'DnsEvents%20%7C%20summarize%20by%20ClientIP%2C%20TimeGenerated'%20doesn't%20return%20expected%20result%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-189894%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3ECan%20you%20let%20us%20what%20exactly%20you%20are%20trying%20to%20achieve%20as%20the%20query%20you%20are%20executing%20does%20not%20make%20much%20sense%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

When I execute the following query on the demo portal:

DnsEvents 

| summarize by ClientIP, TimeGenerated

 

It doesn't return what I expect.  It seems the TimeGenerated is rounded to the nearest hour and all sub-hour records are filtered..  It's as if there was a hypothetical startofhour function applied to TimeGenerated.  Is this expected?

5 Replies

Hi,

Can you let us what exactly you are trying to achieve as the query you are executing does not make much sense?

Best Response confirmed by Brady Evans (Occasional Contributor)
Solution

Hi,

 

This is expected. It is a failsafe functionality in the system to protect it from returning huge amounts of records which will be the situation if we would have return every TimeGenerated in accuracy of a millisecond. It automatically use 1 hour binning.

We are evaluating this failsafe mechanism and consider if it worth keeping it. 

 

If you want control over the binning period, you can use the bin function. This query does the same but use a 1 minute binning instead of the 1 hour binning:

 

DnsEvents | summarize count() by ClientIP, bin(TimeGenerated,1m)

 

Thanks,

Meir :>

 

 

Thanks for the response. That makes sense. I'm just trying to understand Log Analytics and was reading through the docs on Materialize. There is a query that has a let assignment: let totalPagesPerDay = PageViews | summarize by Page, Day = startofday(Timestamp) | summarize count() by Day; This basically bins the PageViews by day (?) and was wondering if I could bin them by hour. Playing with DnsEvents I stumbled across this behavior and was thinking if I can't understand a fundamental query like this I must be missing something. Sorry if the question was off base.
Hi,

Here is a more compact way to write the first query:
PageViews | summarize count() by bin(Timestamp,1d)

You can also do 1 hour binning using bin(Timestamp,1h).
You can see all details on the bin functions here: https://docs.loganalytics.io/docs/Language-Reference/Scalar-functions/bin()
There are additional options for more advanced scenarios. For example, see this: https://docs.loganalytics.io/docs/Language-Reference/Scalar-functions/bin_at()

Your feedback on the confusion is good. This is why we think to eliminate the auto-binning functionality.

Ah, Thanks explicitly calling bin makes more sense.