SOLVED

Limit series in Log Analytics histogram

%3CLINGO-SUB%20id%3D%22lingo-sub-185725%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20series%20in%20Log%20Analytics%20histogram%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-185725%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Stan.%26nbsp%3B%20I%20would%20just%20make%20one%20refinement%20to%20the%20query%2C%20using%20Top%2010%20in%20the%20first%20statement.%3C%2FP%3E%0A%3CP%3EAlso%20in%20your%20blog%2C%20you%20can%20always%20point%20to%20a%20query%20in%20action%20in%20our%20demo%20environment.%26nbsp%3B%20Here%20is%20the%20%3CA%20title%3D%22Top%20Computers%22%20href%3D%22https%3A%2F%2Fportal.loganalytics.io%2FDemo%3Fq%3DH4sIAAAAAAAAA72QsWrDQBBEe0P%252BYZogCVzEdVBhXAQ3jguR1qxOG0lGdyf2VgkJ%252FnifZFsYt4G0s292ZrdjReH7jbf9oCwBOfYsn3hanPDdsDDeyyMb3ZFl5DmSvXjDIXhJQK7Cxg8u%252BubxM2YARWv5Qm1dUHKGZ%252BxQeKUumWLCYC1J%252B8tY17VwTcrVB3VDJEFfdXqNmKQM5Q9uZSe3%252Bh6rl1F%252BdFcczIT04scTZt9rVP%252FzyMuKa%252BfWIb1%252FePa3HyxRti4dS7yxYxl9S6yaDCcIuyoGapyZhkQXZ9Tx7xbsAQAA%26amp%3Btimespan%3DP1D%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Elink%20to%20the%20query%20%3C%2FA%3Ebelow.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3Elet%20TopComputers%20%3D%20Perf%20%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3EObjectName%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E'Processor'%3C%2FSPAN%3E%3CSPAN%3Eand%3C%2FSPAN%3E%3CSPAN%3ECounterName%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E'%25%20Processor%20Time'%3C%2FSPAN%3E%3CSPAN%3Eand%3C%2FSPAN%3E%3CSPAN%3EInstanceName%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E'_Total'%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Esummarize%3C%2FSPAN%3E%3CSPAN%3E%20AggregatedValue%20%3D%20avg(CounterValue)%20%3C%2FSPAN%3E%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3E%20Computer%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Etop%3C%2FSPAN%3E%3CSPAN%3E10%3C%2FSPAN%3E%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3EAggregatedValue%20desc%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Eproject%3C%2FSPAN%3E%3CSPAN%3EComputer%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EPerf%20%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3EObjectName%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E'Processor'%3C%2FSPAN%3E%3CSPAN%3Eand%3C%2FSPAN%3E%3CSPAN%3ECounterName%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E'%25%20Processor%20Time'%3C%2FSPAN%3E%3CSPAN%3Eand%3C%2FSPAN%3E%3CSPAN%3EInstanceName%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E'_Total'%3C%2FSPAN%3E%3CSPAN%3Eand%3C%2FSPAN%3E%3CSPAN%3EComputer%20in%20(TopComputers)%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Esummarize%3C%2FSPAN%3E%3CSPAN%3EAggregatedValue%20%3D%20avg(CounterValue)%20%3C%2FSPAN%3E%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3EComputer%2C%20bin(TimeGenerated%2C%20%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3Eh)%20%7C%20%3C%2FSPAN%3E%3CSPAN%3Erender%3C%2FSPAN%3E%3CSPAN%3Etimechart%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-184205%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20series%20in%20Log%20Analytics%20histogram%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-184205%22%20slang%3D%22en-US%22%3E%3CP%3ENo%20problem.%20Glad%20that%20you've%20solved%20the%20problem.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-184204%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20series%20in%20Log%20Analytics%20histogram%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-184204%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20this%20is%20exactly%20it!%20Thanks%2C%20and%20apologies%20for%20not%20being%20clearer%20in%20my%20question.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-184202%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20series%20in%20Log%20Analytics%20histogram%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-184202%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20this%20is%20the%20thing%20you%20wanted%20to%20achieve%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcloudadministrator.wordpress.com%2F2018%2F03%2F22%2Ftop-10-charts-in-azure-log-analytics-and-application-insights%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcloudadministrator.wordpress.com%2F2018%2F03%2F22%2Ftop-10-charts-in-azure-log-analytics-and-application-insights%2F%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EI%20would%20have%20pointed%20you%20earlier%20but%20I%20didn't%20understand%20exactly%20the%20request%20I%20guess.%20Reply%20yes%20if%20the%20logic%20in%20that%20blog%20post%20matches%20what%20you've%20wanted%20to%20achieve.%20That%20way%20I%20can%20mark%20this%20reply%20as%20answer%20for%20future%20people%20to%20see%20it.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-184198%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20series%20in%20Log%20Analytics%20histogram%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-184198%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Stanislav!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYour%20response%20actually%20showed%20what%20I%20was%20missing%20in%20my%20solution%2C%20which%20was%20a%20way%20to%20determine%20the%20top%205%20machines%20before%20displaying%20a%20histogram.%20The%20solution%20I%20used%2C%20seen%20in%20the%20response%20above%2C%20basically%20does%20this%20first%2C%20and%20inner%20joins%20that%20with%20the%20time-series%20search.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-184196%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20series%20in%20Log%20Analytics%20histogram%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-184196%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20your%20response%20Orion.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20couldn't%20get%20distinct%20to%20work%20because%20it%20didn't%20have%20the%20effect%20of%20filtering%20that%20I%20wanted.%20I%20did%20get%20one%20solution%20to%20work.%20I%20basically%20performed%20an%20initial%20search%20to%20find%20the%20top%205%20machines%20by%20average%20value%2C%20then%20inner%20joined%20that%20with%20the%20time-series%20search%20I%20originally%20used.%20That%20way%2C%20only%20the%20time%20series%20for%20the%20top%205%20machines%20(based%20on%20their%20overall%20average)%20were%20shown.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-184057%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20series%20in%20Log%20Analytics%20histogram%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-184057%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%0A%3CP%3EIf%20I%20understand%20the%20question%20correctly%20I%20think%20if%20you%20put%3A%3C%2FP%3E%0A%3CPRE%3E%7C%20summarize%20arg_max(Value%2C%20*)%20by%20Computer%3C%2FPRE%3E%0A%3CP%3Ebefore%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%7C%20render%20timechar%3C%2FPRE%3E%0A%3CP%3EI%20think%20you%20might%20achieve%20the%20desired%20effect.%3C%2FP%3E%0A%3CP%3Earg_max()%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.loganalytics.io%2Fdocs%2FLanguage-Reference%2FAggregation-functions%2Farg_max%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.loganalytics.io%2Fdocs%2FLanguage-Reference%2FAggregation-functions%2Farg_max%3C%2FA%3E()%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20me%20know%20if%20it%20works.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-183926%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20series%20in%20Log%20Analytics%20histogram%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-183926%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20about%20using%20the%20distinct%20operator%20to%20filter%20prior%20to%20showing%20the%26nbsp%3B%3CSPAN%3E%26nbsp%3B'top%205%20by%20Value'%2C%20or%20'top%205%20by%20Computer'%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.loganalytics.io%2Fdocs%2FLanguage-Reference%2FTabular-operators%2Fdistinct-operator%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.loganalytics.io%2Fdocs%2FLanguage-Reference%2FTabular-operators%2Fdistinct-operator%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-183807%22%20slang%3D%22en-US%22%3ELimit%20series%20in%20Log%20Analytics%20histogram%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-183807%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20Log%20Analytics%20query%20that%20produces%20a%20histogram%20based%20on%20some%20data%20being%20ingested%2C%20by%20ending%20the%20query%20with%20a%20'render%20timechart'%20command.%20This%20results%20in%20a%20graph%20with%20over%2012%20series%20plotted%20across%20the%20x-axis%20(time%20axis).%20Since%20this%20is%20a%20histogram%20with%20the%20backing%20table%20resembling%20something%20like...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EComputer%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Time%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Value%3C%2FP%3E%3CP%3EMachine%20a%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2009%3A00%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%205%3C%2FP%3E%3CP%3EMachine%20a%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2010%3A00%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%207%3C%2FP%3E%3CP%3EMachine%20a%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2011%3A00%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2010%3C%2FP%3E%3CP%3EMachine%20b%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2009%3A00%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%208%3C%2FP%3E%3CP%3EMachine%20b%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2011%3A00%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2010%3C%2FP%3E%3CP%3EMachine%20c%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2010%3A00%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2014%3C%2FP%3E%3CP%3E...%3C%2FP%3E%3CP%3EMachine%20z%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2009%3A00%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2012%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20best%20way%20to%20limit%20the%20series%20in%20the%20histogram%20to%20only%20a%20certain%20number%20of%20machines%20(not%20rows%2C%20since%20as%20seen%20above%20there%20could%20be%20multiple%20rows%20per%20machine)%3F%20In%20other%20words%2C%20how%20would%20I%20limit%20the%20timechart%20to%20only%20show%20series%20for%20the%20top%202%20Machines%20based%20on%20their%20values.%20If%20I%20simply%20use%20'top%205%20by%20Value'%2C%20or%20'top%205%20by%20Computer'%2C%20it%20will%20only%20take%20the%20top%20x%20rows...not%20the%20top%20x%20Machines%20and%20all%20their%20respective%20rows.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20this%20is%20not%20possible%2C%20when%20pinning%20these%20results%20to%20an%20Azure%20Portal%20dashboard%2C%20is%20there%20anyway%20to%20exclude%20the%20'OTHERS'%20aggregation%20that's%20automatically%20created%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20any%20help%20anyone%20can%20provide%20here.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-183807%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Deleted
Not applicable

I have a Log Analytics query that produces a histogram based on some data being ingested, by ending the query with a 'render timechart' command. This results in a graph with over 12 series plotted across the x-axis (time axis). Since this is a histogram with the backing table resembling something like...

 

Computer             Time              Value

Machine a             09:00              5

Machine a             10:00              7

Machine a             11:00              10

Machine b             09:00              8

Machine b             11:00              10

Machine c              10:00              14

...

Machine z               09:00             12

 

Is there a best way to limit the series in the histogram to only a certain number of machines (not rows, since as seen above there could be multiple rows per machine)? In other words, how would I limit the timechart to only show series for the top 2 Machines based on their values. If I simply use 'top 5 by Value', or 'top 5 by Computer', it will only take the top x rows...not the top x Machines and all their respective rows.

 

If this is not possible, when pinning these results to an Azure Portal dashboard, is there anyway to exclude the 'OTHERS' aggregation that's automatically created?

 

Thanks for any help anyone can provide here.

8 Replies

What about using the distinct operator to filter prior to showing the  'top 5 by Value', or 'top 5 by Computer'

 

https://docs.loganalytics.io/docs/Language-Reference/Tabular-operators/distinct-operator

 

Hi

If I understand the question correctly I think if you put:

| summarize arg_max(Value, *) by Computer

before 

| render timechar

I think you might achieve the desired effect.

arg_max() - https://docs.loganalytics.io/docs/Language-Reference/Aggregation-functions/arg_max()

 

Let me know if it works.

Thanks for your response Orion.

 

I couldn't get distinct to work because it didn't have the effect of filtering that I wanted. I did get one solution to work. I basically performed an initial search to find the top 5 machines by average value, then inner joined that with the time-series search I originally used. That way, only the time series for the top 5 machines (based on their overall average) were shown.

Thanks Stanislav!

 

Your response actually showed what I was missing in my solution, which was a way to determine the top 5 machines before displaying a histogram. The solution I used, seen in the response above, basically does this first, and inner joins that with the time-series search.

Best Response
Solution

If this is the thing you wanted to achieve:

https://cloudadministrator.wordpress.com/2018/03/22/top-10-charts-in-azure-log-analytics-and-applica...

I would have pointed you earlier but I didn't understand exactly the request I guess. Reply yes if the logic in that blog post matches what you've wanted to achieve. That way I can mark this reply as answer for future people to see it. 

Yes, this is exactly it! Thanks, and apologies for not being clearer in my question.

No problem. Glad that you've solved the problem.

Thanks Stan.  I would just make one refinement to the query, using Top 10 in the first statement.

Also in your blog, you can always point to a query in action in our demo environment.  Here is the link to the query below.

 

let TopComputers = Perf
| where ObjectName == 'Processor' and CounterName == '% Processor Time' and InstanceName == '_Total'
| summarize AggregatedValue = avg(CounterValue) by Computer
| top 10 by AggregatedValue desc
| project Computer;
Perf
| where ObjectName == 'Processor' and CounterName == '% Processor Time' and InstanceName == '_Total' and Computer in (TopComputers)
| summarize AggregatedValue = avg(CounterValue) by Computer, bin(TimeGenerated, 1h) | render timechart