cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Getting incremental value from Perf / TCPv4 / Connection Failuers

SebasL
Copper Contributor

‎Aug 24 2021 11:31 AM - last edited on ‎Apr 08 2022 10:53 AM by

‎Aug 24 2021 11:31 AM - last edited on ‎Apr 08 2022 10:53 AM by

Getting incremental value from Perf / TCPv4 / Connection Failuers

I would like to run a query based on the performance counter ObjectName == "TCPv4" and CounterName == "Connection Failures"

 

This counter displays the TCP Failure number but its particularity is that the counter is incremental.

I would like, with my query, to get only the incremental between two data points.

Let's say my counter is every 300 seconds (5m), how can I have a column with the value incremented every 300 or 600 seconds?

 

My current query look like this. I've looked to a way of using some kind on Summarize operator without success.

Perf
| where Computer =~ "MyComputerName"
| where ObjectName == "TCPv4" and CounterName == "Connection Failures"
| project TimeGenerated, Computer, ObjectName, CounterName, CounterValue

 

SebasL_0-1629829818097.png

 

thanks!

 

 

Labels:
931 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by SebasL (Copper Contributor)
Anders Bengtsson

‎Aug 26 2021 07:12 AM - edited ‎Aug 26 2021 07:26 AM

‎Aug 26 2021 07:12 AM - edited ‎Aug 26 2021 07:26 AM

Solution

Re: Getting incremental value from Perf / TCPv4 / Connection Failuers

Hi,

 

You can use the prev command. In this example, we look at free space on the C: volume on a computer named Idala. We compare the previous counter value with the current one. We also do a CASE to write different text strings based on the current free space.

 

Perf
| where Computer == "idala"
| where CounterName == "% Free Space"
| where InstanceName == "C:"
| serialize | extend prevValue = prev(CounterValue, 1)
| extend diffvalue = CounterValue - prevValue
| extend trend = case(CounterValue < prevValue, "Free Space Reduces",
CounterValue > prevValue, "Free Space Increases",
"No difference")
| project TimeGenerated, InstanceName, CounterValue, prevValue, diffvalue, trend
| order by TimeGenerated desc

1 Like
Reply
SebasL

‎Aug 26 2021 08:07 AM

‎Aug 26 2021 08:07 AM

Re: Getting incremental value from Perf / TCPv4 / Connection Failuers

Wow thanks! did'nt know about PREV().

that work A1!

Perf
| where Computer == "Contoso"
| where ObjectName in ("TCPv4") and CounterName == "Connection Failures"
| order by TimeGenerated asc
| extend CounterValue_prevValue = prev(CounterValue, 1)
| project
TimeGenerated
, Computer
, ObjectName
, CounterName
, CounterValue
, CounterValue_Incremental=CounterValue - CounterValue_prevValue
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by SebasL (Copper Contributor)
Anders Bengtsson

‎Aug 26 2021 07:12 AM - edited ‎Aug 26 2021 07:26 AM

‎Aug 26 2021 07:12 AM - edited ‎Aug 26 2021 07:26 AM

Solution

Re: Getting incremental value from Perf / TCPv4 / Connection Failuers

Hi,

 

You can use the prev command. In this example, we look at free space on the C: volume on a computer named Idala. We compare the previous counter value with the current one. We also do a CASE to write different text strings based on the current free space.

 

Perf
| where Computer == "idala"
| where CounterName == "% Free Space"
| where InstanceName == "C:"
| serialize | extend prevValue = prev(CounterValue, 1)
| extend diffvalue = CounterValue - prevValue
| extend trend = case(CounterValue < prevValue, "Free Space Reduces",
CounterValue > prevValue, "Free Space Increases",
"No difference")
| project TimeGenerated, InstanceName, CounterValue, prevValue, diffvalue, trend
| order by TimeGenerated desc

View solution in original post

1 Like
Reply