SOLVED

Getting incremental value from Perf / TCPv4 / Connection Failuers

%3CLINGO-SUB%20id%3D%22lingo-sub-2680439%22%20slang%3D%22en-US%22%3EGetting%20incremental%20value%20from%20Perf%20%2F%20TCPv4%20%2F%20Connection%20Failuers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2680439%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20like%20to%20run%20a%20query%20based%20on%20the%20performance%20counter%26nbsp%3B%3CSTRONG%3EObjectName%20%3D%3D%20%22TCPv4%22%20and%20CounterName%20%3D%3D%20%22Connection%20Failures%22%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20counter%20displays%20the%20TCP%20Failure%20number%20but%20its%20particularity%20is%20that%20the%20counter%20is%20incremental.%3C%2FP%3E%3CP%3EI%20would%20like%2C%20with%20my%20query%2C%20to%20get%20only%20the%20incremental%20between%20two%20data%20points.%3C%2FP%3E%3CP%3ELet's%20say%20my%20counter%20is%20every%20300%20seconds%20(5m)%2C%20how%20can%20I%20have%20a%20column%20with%20the%20value%20incremented%20every%20300%20or%20600%20seconds%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EMy%20current%20query%20look%20like%20this.%20I've%20looked%20to%20a%20way%20of%20using%20some%20kind%20on%20Summarize%20operator%20without%20success.%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3EPerf%3CBR%20%2F%3E%7C%20where%20Computer%20%3D~%20%22MyComputerName%22%3CBR%20%2F%3E%7C%20where%20ObjectName%20%3D%3D%20%22TCPv4%22%20and%20CounterName%20%3D%3D%20%22Connection%20Failures%22%3CBR%20%2F%3E%7C%20project%20TimeGenerated%2C%20Computer%2C%20ObjectName%2C%20CounterName%2C%20CounterValue%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22SebasL_0-1629829818097.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F305411iBD46D463FA0D66F9%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22SebasL_0-1629829818097.png%22%20alt%3D%22SebasL_0-1629829818097.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2680439%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActivity%20Logs%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELog%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2688088%22%20slang%3D%22en-US%22%3ERe%3A%20Getting%20incremental%20value%20from%20Perf%20%2F%20TCPv4%20%2F%20Connection%20Failuers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2688088%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20use%20the%20prev%20command.%20In%20this%20example%2C%20I%20will%20get%20the%20first%20(1)%20previous%20value%20from%20the%20TimeGenerated%20column.%20I%20will%20also%20do%20a%20diff%20calculation%20between%20the%20current%20TimeGenerated%20value%20and%20the%20previous%20one.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EHeartbeat%3CBR%20%2F%3E%7C%20serialize%20%7C%20extend%20prevA%20%3D%20prev(TimeGenerated%2C%201)%3CBR%20%2F%3E%7C%20extend%20diff%20%3D%20TimeGenerated%20-%20prevA%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I would like to run a query based on the performance counter ObjectName == "TCPv4" and CounterName == "Connection Failures"

 

This counter displays the TCP Failure number but its particularity is that the counter is incremental.

I would like, with my query, to get only the incremental between two data points.

Let's say my counter is every 300 seconds (5m), how can I have a column with the value incremented every 300 or 600 seconds?

 

My current query look like this. I've looked to a way of using some kind on Summarize operator without success.

Perf
| where Computer =~ "MyComputerName"
| where ObjectName == "TCPv4" and CounterName == "Connection Failures"
| project TimeGenerated, Computer, ObjectName, CounterName, CounterValue

 

SebasL_0-1629829818097.png

 

thanks!

 

 

2 Replies
best response confirmed by SebasL (Occasional Contributor)
Solution

Hi,

 

You can use the prev command. In this example, we look at free space on the C: volume on a computer named Idala. We compare the previous counter value with the current one. We also do a CASE to write different text strings based on the current free space.

 

Perf
| where Computer == "idala"
| where CounterName == "% Free Space"
| where InstanceName == "C:"
| serialize | extend prevValue = prev(CounterValue, 1)
| extend diffvalue = CounterValue - prevValue
| extend trend = case(CounterValue < prevValue, "Free Space Reduces",
CounterValue > prevValue, "Free Space Increases",
"No difference")
| project TimeGenerated, InstanceName, CounterValue, prevValue, diffvalue, trend
| order by TimeGenerated desc

Wow thanks! did'nt know about PREV().

that work A1!

Perf
| where Computer == "Contoso"
| where ObjectName in ("TCPv4") and CounterName == "Connection Failures"
| order by TimeGenerated asc
| extend CounterValue_prevValue = prev(CounterValue, 1)
| project
TimeGenerated
, Computer
, ObjectName
, CounterName
, CounterValue
, CounterValue_Incremental=CounterValue - CounterValue_prevValue