From ceeee5a420e79bebaa80997a1269306b6ed6d5d6 Mon Sep 17 00:00:00 2001 From: Jurjen Ladenius Date: Tue, 31 Oct 2023 15:00:41 +0100 Subject: [PATCH] Availability logging kql --- .vscode/settings.json | 3 ++ KQL/shared_logs/availability logging.kql | 54 ++++++++++++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 .vscode/settings.json create mode 100644 KQL/shared_logs/availability logging.kql diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..c9a6001 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,3 @@ +{ + "dotnet.defaultSolution": "disable" +} \ No newline at end of file diff --git a/KQL/shared_logs/availability logging.kql b/KQL/shared_logs/availability logging.kql new file mode 100644 index 0000000..65c45eb --- /dev/null +++ b/KQL/shared_logs/availability logging.kql @@ -0,0 +1,54 @@ +// Avg Timespan per Name + +AppAvailabilityResults +| order by Name, TimeGenerated desc +| where TimeGenerated > ago(7d) +| extend TimeSince = TimeGenerated - next(TimeGenerated) +| extend NextName = next(Name) +| where isnotempty(TimeSince) and NextName == Name +| summarize avg(TimeSince) by Name + +// timespan per name over time + +AppAvailabilityResults +| order by Name, TimeGenerated desc +| extend TimeSince = TimeGenerated - next(TimeGenerated) +| extend NextName = next(Name) +| where isnotempty(TimeSince) and NextName == Name +| summarize avg(TimeSince) by bin(TimeGenerated, 10m), Name +| extend avg_millisecs = avg_TimeSince / time(1s) +| render timechart + + +// last recorded item + +AppAvailabilityResults +| extend timeSince= now() - TimeGenerated +| summarize arg_max(TimeGenerated, *) by Name +| order by Name + + +// Alert? + +let latestResults = AppAvailabilityResults +| extend timeSince= now() - TimeGenerated +| where TimeGenerated > ago(4h) and Success == true +| summarize arg_max(TimeGenerated, *) by Name +| order by Name; +let averageResults = AppAvailabilityResults +| order by Name, TimeGenerated desc +| where TimeGenerated > ago(7d) +| extend TimeSince = TimeGenerated - next(TimeGenerated) +| extend NextName = next(Name) +| where isnotempty(TimeSince) and NextName == Name +| summarize avg(TimeSince) by Name; +averageResults +| join kind=leftouter latestResults on Name +| where isnull(TimeGenerated) or TimeGenerated < datetime_add('minute', -10, now()) // allow for ingress +| project Name, TimeGenerated, AverageInterval=avg_TimeSince, LastSeenTimeSpan=timeSince + +// performance + +AppAvailabilityResults +| summarize avgRequestDuration=avg(DurationMs) by bin(TimeGenerated, 10m), Name +| render timechart