我正在尝试针对每个具有唯一类型的Cloud_RoleName收到的所有500个错误在Azure App Insights上创建一个图表。我想要做的是,与上周的数据相比,每周显示一个趋势,每月显示一个月的趋势,这是关于是否获得500个错误的新类型。基本上每周进行500个错误的趋势分析。 我尝试了以下查询:-
requests
| where resultCode =="500" and timestamp > ago(1d)
| join (exceptions) on operation_Id
| summarize by type, cloud_RoleName
据我了解,这仅会返回前1天的数据(按500错误类型汇总)。不幸的是,我无法形成查询来获取每周的趋势数据。此KQL有什么帮助吗?
<>在Yoni的回复之后,我找到了一个博客,其中为Security Events生成了趋势图,因此我继续在博客中使用查询并在此处创建了该查询。.但是仍然不知道我得到了我想要的。 some1可以修改此查询。.由于我想要的只是来自Exception和REquest表的一种新趋势,每个cloud_roleName https://microsoftonlineguide.blogspot.com/2018/05/detect-malicious-activity-using-azure.html?showComment=1561507971564#c5650649192825890878的每周都有500种错误类型的趋势
let T=requests
| where resultCode =="500" and timestamp > ago(30d)
| join (exceptions) on operation_Id
| summarize by type, cloud_RoleName, Date = startofday(timestamp);
T
| evaluate activity_counts_metrics(type,Date, startofday(ago(30d)), startofday(now()), 1d, type, cloud_RoleName)
| extend WeekDate = startofweek(Date)
| project WeekDate, Date, type, PotentialAnomalyCount = new_dcount, cloud_RoleName
| join kind= inner
(
T
| evaluate activity_engagement(type, Date, startofday(ago(30d)), startofday(now()),1d, 7d)
| extend WeekDate = startofweek(Date)
| project WeekDate, Date, Distribution1day = dcount_activities_inner, Distribution7days = dcount_activities_outer, Ratio = activity_ratio*100
)
on WeekDate, Date
| where PotentialAnomalyCount == 1 and Ratio < 100
| project WeekDate, Date, type, cloud_RoleName, PotentialAnomalyCount, Distribution1day, Distribution7days, Ratio
| render barchart kind=stacked
答案 0 :(得分:1)
在不了解您的数据及其结构的情况下进行答复有点挑战。
也就是说,这是尝试使用内置的activity_counts_metrics插件(link to doc)根据您问题中的口头描述进行回答:
datatable(day:datetime, result_code:int)
[
datetime(2019-05-01), 500,
datetime(2019-05-10), 500,
datetime(2019-05-20), 500,
datetime(2019-06-01), 500,
datetime(2019-06-02), 500,
datetime(2019-06-03), 501,
datetime(2019-06-04), 500,
datetime(2019-06-05), 500,
datetime(2019-06-06), 500,
datetime(2019-06-07), 500,
datetime(2019-06-08), 500,
datetime(2019-06-09), 500,
datetime(2019-06-10), 500,
datetime(2019-06-11), 500,
datetime(2019-06-12), 500,
datetime(2019-06-13), 502,
datetime(2019-06-14), 500,
]
| evaluate activity_counts_metrics(result_code, day, ago(60d), now(), 'week')
// try using 'month' too, instead of 'week'
这将返回:
| day | count | dcount | new_dcount | aggregated_dcount |
|-----------------------------|-------|--------|------------|-------------------|
| 2019-04-28 00:00:00.0000000 | 1 | 1 | 1 | 1 |
| 2019-05-05 00:00:00.0000000 | 1 | 1 | 1 | 1 |
| 2019-05-19 00:00:00.0000000 | 1 | 1 | 1 | 1 |
| 2019-05-26 00:00:00.0000000 | 1 | 1 | 1 | 1 |
| 2019-06-02 00:00:00.0000000 | 7 | 2 | 2 | 2 |
| 2019-06-09 00:00:00.0000000 | 6 | 2 | 2 | 2 |
其中:
TimelineColumn :时间窗口[周/月/等。]开始时间。
计数:时间窗口中的总记录数。
dcount :不同的ID值在时间窗口中计数。
new_dcount :时间窗口中不同的ID值,并与以前的所有时间窗口进行了比较。
aggregated_dcount :从第一个时间窗到当前(包括)的总计不同ID的总值。
如果您有兴趣查看实际的不同代码(每周/每月),可以通过以下几行为您提供指导:
datatable(day:datetime, result_code:int)
[
datetime(2019-05-01), 500,
datetime(2019-05-10), 500,
datetime(2019-05-20), 500,
datetime(2019-06-01), 500,
datetime(2019-06-02), 500,
datetime(2019-06-03), 501,
datetime(2019-06-04), 500,
datetime(2019-06-05), 500,
datetime(2019-06-06), 500,
datetime(2019-06-07), 500,
datetime(2019-06-08), 500,
datetime(2019-06-09), 500,
datetime(2019-06-10), 500,
datetime(2019-06-11), 500,
datetime(2019-06-12), 500,
datetime(2019-06-13), 502,
datetime(2019-06-14), 500,
]
| summarize distinct_codes = make_set(result_code) by startofweek(day)
| extend distinct_codes_count = array_length(distinct_codes)
这将返回:
| start_of_week | distinct_codes | distinct_codes_count |
|-----------------------------|----------------|----------------------|
| 2019-04-28 00:00:00.0000000 | 500 | 1 |
| 2019-05-05 00:00:00.0000000 | 500 | 1 |
| 2019-05-19 00:00:00.0000000 | 500 | 1 |
| 2019-05-26 00:00:00.0000000 | 500 | 1 |
| 2019-06-02 00:00:00.0000000 | 500, 501 | 2 |
| 2019-06-09 00:00:00.0000000 | 500, 502 | 2 |