Getting incremental value from Perf / TCPv4 / Connection Failuers

Occasional Contributor

I would like to run a query based on the performance counter ObjectName == "TCPv4" and CounterName == "Connection Failures"


This counter displays the TCP Failure number but its particularity is that the counter is incremental.

I would like, with my query, to get only the incremental between two data points.

Let's say my counter is every 300 seconds (5m), how can I have a column with the value incremented every 300 or 600 seconds?


My current query look like this. I've looked to a way of using some kind on Summarize operator without success.

| where Computer =~ "MyComputerName"
| where ObjectName == "TCPv4" and CounterName == "Connection Failures"
| project TimeGenerated, Computer, ObjectName, CounterName, CounterValue







2 Replies
best response confirmed by SebasL (Occasional Contributor)



You can use the prev command. In this example, we look at free space on the C: volume on a computer named Idala. We compare the previous counter value with the current one. We also do a CASE to write different text strings based on the current free space.


| where Computer == "idala"
| where CounterName == "% Free Space"
| where InstanceName == "C:"
| serialize | extend prevValue = prev(CounterValue, 1)
| extend diffvalue = CounterValue - prevValue
| extend trend = case(CounterValue < prevValue, "Free Space Reduces",
CounterValue > prevValue, "Free Space Increases",
"No difference")
| project TimeGenerated, InstanceName, CounterValue, prevValue, diffvalue, trend
| order by TimeGenerated desc

Wow thanks! did'nt know about PREV().

that work A1!

| where Computer == "Contoso"
| where ObjectName in ("TCPv4") and CounterName == "Connection Failures"
| order by TimeGenerated asc
| extend CounterValue_prevValue = prev(CounterValue, 1)
| project
, Computer
, ObjectName
, CounterName
, CounterValue
, CounterValue_Incremental=CounterValue - CounterValue_prevValue