cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Calculating rate of change in Log Analytics

Peter Hall
Occasional Contributor

‎Sep 12 2019 03:50 AM - last edited on ‎Apr 08 2022 10:07 AM by

‎Sep 12 2019 03:50 AM - last edited on ‎Apr 08 2022 10:07 AM by

Calculating rate of change in Log Analytics

If I have a counter that increases over time and I want to display how much that counter is changing every minute, how would I do that.  In PromQL I would use the rate function but is there a simple equivalent KQL?

For example, 14:10:00 the total value since we collected data was 182077, at 14:11 it was 182083 and at 14:12 it was 182084.  I would like to render a graph showing 0 at 14:10, 6 at 14:11 and 1 at 14:12. 

Sounds simple but I can't see a way to do it.  Any help would be appreciated.

 

Regards

Pete

Labels:
5,834 Views
0 Likes
8 Replies
Reply
8 Replies
CliveWatson

‎Sep 12 2019 08:10 AM

‎Sep 12 2019 08:10 AM

Re: Calculating rate of change in Log Analytics

@Peter Hall 

 

Have you looked at bin? https://docs.microsoft.com/en-us/azure/kusto/query/binfunction

Event
| where TimeGenerated > ago(1h)
| summarize count(EventID) by bin(TimeGenerated, 1m)

 

This shows the count of EventIDs in the Events table every min in the past hour?

 

Go to Log Analytics and Run Query

clipboard_image_0.png

 

Adding as this as the last line will give you the graph, rather than a table.

 

| render barchart

 

 

 

0 Likes
Reply
Peter Hall

‎Sep 12 2019 08:40 AM

‎Sep 12 2019 08:40 AM

Re: Calculating rate of change in Log Analytics

@CliveWatson Thanks for the reply.  I have looked at that.  It's not the number of new entries per minute I am trying to ascertain, but the change in the sum of all previous entries per minute, if that makes sense.  

clipboard_image_0.png

ie in the above query, you'll see system mode cpu usage for computer aks-agentpool-31816283-2 goes from 264552.21 to 264560.83 in the minute, so i want the difference between those 2 on an on-going basis.  In fact, I actually want it for all modes but one step at a time.

0 Likes
Reply
CliveWatson

‎Sep 12 2019 08:48 AM

‎Sep 12 2019 08:48 AM

Re: Calculating rate of change in Log Analytics

@Peter Hall 

 

How about?

Event
| where TimeGenerated > ago(1h)
| summarize count() by bin(TimeGenerated, 1m)
| sort by TimeGenerated asc 
| extend accumulated =row_cumsum(count_)

 

Go to Log Analytics and Run Query

 

 

TimeGenerated count_ accumulated
2019-09-12T14:46:00Z 343 343
2019-09-12T14:47:00Z 57 400
2019-09-12T14:48:00Z 49 449
2019-09-12T14:49:00Z 488 937
2019-09-12T14:50:00Z 321 1258
2019-09-12T14:51:00Z 354 1612
2019-09-12T14:52:00Z 378 1990
2019-09-12T14:53:00Z 482 2472
2019-09-12T14:54:00Z 344 2816
2019-09-12T14:55:00Z 501 3317

 

0 Likes
Reply
best response confirmed by Peter Hall (Occasional Contributor)
Peter Hall

‎Sep 12 2019 12:03 PM

‎Sep 12 2019 12:03 PM

Solution

Re: Calculating rate of change in Log Analytics

@CliveWatson you are a scholar and a gent.  That would appear to do the trick.  I'll adapt as necessary but thank you

1 Like
Reply
Ketan Ghelani

‎Sep 15 2019 09:40 AM

‎Sep 15 2019 09:40 AM

Re: Calculating rate of change in Log Analytics

You can also use the next or prev functions to get the rate
https://docs.microsoft.com/en-us/azure/kusto/query/prevfunction

1 Like
Reply
Peter Hall

‎Sep 16 2019 08:12 AM

‎Sep 16 2019 08:12 AM

Re: Calculating rate of change in Log Analytics

@Ketan GhelaniThanks very much for the reply.  I'll take a look at that as well

0 Likes
Reply
santhoshparepu

‎Dec 29 2019 11:05 PM

‎Dec 29 2019 11:05 PM

Re: Calculating rate of change in Log Analytics

@Peter Hall Did you find out prometheus "rate" equivalent function in kusto

0 Likes
Reply
ehuggz

‎Sep 07 2022 07:35 AM

‎Sep 07 2022 07:35 AM

Re: Calculating rate of change in Log Analytics

@santhoshparepu For anyone still looking for a Prometheus equivalent to rate of change the link below defines a Kusto User Defined Function to calculate rate of change from a Prometheus style counter which can only go up, unless reset. series_rate_fl() - Azure Data Explorer | Microsoft Docs

0 Likes
Reply