Long time watcher, first time poster so please be kind to this poor noob....
We're marching forth into Azure and I'm working on the monitoring and alerting side (because no-one else is so far). I have successfully created a number of alerts using KQL with LogAnalytics but having issues with an ADF query.
Need something that will alert as Resolved ONLY when original failed pipeline subsequently shows as Successful. Right now, we're getting a Resolved alert when any other pipeline is successful. Help me Obi Wan Kenobi - you're my only hope.....
Current query is:
let activities = ADFActivityRun
| where Status == 'Failed' and ActivityType !in ('IfCondition', 'ExecutePipeline', 'ForEach')
| project
ActivityName,
ActivityType,
Input,
Output,
ErrorMessage,
Error,
PipelineRunId,
ActivityRunId,
_ResourceId;
ADFPipelineRun
| project RunId,PipelineName, Status, Start, End
| summarize max(Start) by PipelineName
| join kind = inner ADFPipelineRun on $left.PipelineName == $right.PipelineName and $left.max_Start == $right.Start
| project RunId
, TimeGenerated
, ResourceName=split(_ResourceId, '/')[-1]
, PipelineName
, Status
, Start
, End
,Parameters
,Predecessors
| where Status == 'Failed'
| join kind = inner activities on $left.RunId == $right.PipelineRunId
| project TimeGenerated
, ResourceName=split(_ResourceId, '/')[-1]
, PipelineName
, ActivityName
, ActivityType
, Status
, Start
, End
,Parameters
,Error
,PipelineRunId
,ActivityRunId
,Predecessors
Related
Just trying to use a pre-existing "Slowest queries - top 5" from Azure log analytics for postgres flexible server. The query that is provided is:
// Slowest queries
// Identify top 5 slowest queries.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL"
| where Category == "QueryStoreRuntimeStatistics"
| where user_id_s != "10" //exclude azure system user
| summarize avg(todouble(mean_time_s)) by event_class_s , db_id_s ,query_id_s
| top 5 by avg_mean_time_s desc
This query results in the error :
'where' operator: Failed to resolve column or scalar expression named 'user_id_s'
If the issue persists, please open a support ticket. Request id: XXXX
I am guessing that something is not configured in order to utilize the user_id_s column. Any assistance is appreciated.
I am expecting you are checking the integer value 10 is not equal to the user_id_s.
In your KQL query user_id_s != "10" .
Thanks # venkateshdodda-msft I am adding your suggestion to help to fix the issue.
If you are using integer in a KQL make sure to remove the " " double quotes.
# using as a integer
| where user_id_s != 10
Or convert the integer into string by using
# converting into string
| extend user_id_s = tostring(Properties.user_id_s)
| where UserId in ('10')
Modified KQL Query
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL"
| where Category == "QueryStoreRuntimeStatistics"
# using as a integer
| where user_id_s != 10 //exclude azure system user
| summarize avg(todouble(mean_time_s)) by event_class_s , db_id_s ,query_id_s
| top 5 by avg_mean_time_s desc
Reference:
Operator failed to resolve table or column expression
Converting integer to string
I have this search but I want to azure alert when the bandwidth reaches 50%. I have tried the alert setup but that only set how many times the search found. so not sure what needs to be add on search only triggers the bandwidth threshold.
AzureMetrics
| where ResourceId contains "ckt"
| where MetricName == "BitsINPerSecond"
| where TimeGenerated > (now() - 12h) and TimeGenerated <= now()
| project TimeGenerated, Resource, inBytes=Maximum
| join kind= inner
(
AzureMetrics
| where MetricName == "BitsOutPerSecond"
| where TimeGenerated > (now() - 12h) and TimeGenerated <= now()
| project TimeGenerated, Resource, outBytes= Maximum
)
on TimeGenerated, Resource
| summarize data_in_Gbps = max(inBytes)/1000000000, data_out_Gbps = max(outBytes)/1000000000,
data_total_Gbps = sum(inBytes + outBytes)/1000000000 by bin(TimeGenerated, 1h), Resource
| extend BW_percentage = data_out_Gbps * 100
| order by TimeGenerated
Add in the end of the query : "|where BW_percentage>50".
Check that you are happy with the results when you run the query yourself.
Then copy the query to the alert rule and set the threshold to >0 to alert you on any one resource where this is true.
(You can change the 1h to 30m if this is the time span that interest you).
I have been trying a few various methods to see if I can get this to work, but I haven't had any luck.
Here is what I am trying to accomplish.
Every day, there are cases that get closed. We are wanting to track cases that have been 're-opened' after having been already closed once, but there is nothing in the information provided that tells us this is a re-opened case. The only way to do this is to check to see if the Case ID and the Report Date and see if the there is a duplicate Case Id that exists and was closed prior to this report date. To complicate matters, here is some additional info:
1) A common situation is that a case is closed, re-opened and then closed again within the same day(sometimes multiple times). This should count as a re-open, each time it is done after the first instance, even if it's the same day ( I assume we would group by case ID?)
2) I run a 5 Day reporting window, so a case should NOT count as a re-open if for instance on 3/20/2019 the case was closed for the first time, and then re-opened at some point and closed again 3/26/2019 until 3/26/2019. On 3/20, 3/21, 3/22, and 3/25(report days skips weekends and holidays, this is already built in, do not need anything fo that) it should NOT be marked as a re-open because the case still only has one instance on or before the report date we are looking at. On 3/26 it would be marked as a re-open because it would then have been closed for a second time on or before the report date.
Here are some queries:
CREATE TABLE ResolvedCases(
Case_ID varchar(20),
Case_Closed_On datetime,
Report_Date date,
Is_ReOpened_Case VarChar(3) NULL
)
INSERT INTO ResolvedCases VALUES('US1236', '2019-02-16 12:30:45', '2/16/2019')
INSERT INTO ResolvedCases VALUES('US1238', '2019-02-28 15:30:45', '2/28/2019')
INSERT INTO ResolvedCases VALUES('US1234', '2019-03-19 12:30:45', '3/19/2019')
INSERT INTO ResolvedCases VALUES('US1234', '2019-03-19 15:30:45', '3/19/2019')
INSERT INTO ResolvedCases VALUES('US1235', '2019-03-20 9:30:45', '3/20/2019')
INSERT INTO ResolvedCases VALUES('US1235', '2019-03-23 12:40:45', '3/23/2019')
INSERT INTO ResolvedCases VALUES('US1236', '2019-03-20 12:30:45', '3/24/2019')
INSERT INTO ResolvedCases VALUES('US1237', '2019-03-25 12:30:45', '3/25/2019')
Expected Results(Only showing the cases with Report_Date between 3/20 and 3/26):
Case_ID Case_Closed_On Report_Date Is_ReOpened_Case
US1234 2019-03-19 12:30:45 3/19/2019 No (There is a duplicate case Id on 3/19 but it didn't happen until 3:30 PM---at 12:30PM this hadn't occurred yet so it was not a re-open at that time)
US1234 2019-03-19 15:30:45 3/19/2019 Yes
US1235 2019-03-20 9:30:45 3/20/2019 No (There is a duplicate case Id on 3/23 but on 3/20 this hadn't occurred yet so it was no a re-open on that date)
US1235 2019-03-23 12:40:45 3/23/2019 Yes
US1236 2019-03-20 12:30:45 3/24/2019 Yes (Because of the case closed on 2/16/2019 even though it doesn't show in this query)
US1237 2019-03-25 12:30:45 3/25/2019 No
Any help would be appreciated with this...
I have something that shows the count of the case ID which shows me all the duplicates for a given date range and have them grouped by Case_ID but I am not sure how to just mark each individual row as a re-open or not based on the requirements above...
For your immediate problem, you can use LAG to update your table with the flag you're looking for. (It returns a NULL if there's no preceding value, hence the logic in the CASE statement.)
UPDATE rc
SET rc.Is_ReOpened_Case = sq.Is_ReOpened_Case
FROM
#ResolvedCases AS rc
LEFT JOIN
(
SELECT
Case_ID
,Case_Closed_On
,Report_Date
,Is_ReOpened_Case =
CASE
WHEN LAG(Case_ID) OVER (PARTITION BY Case_ID ORDER BY Case_Closed_On) IS NOT NULL
THEN 'Yes'
ELSE 'No'
END
FROM #ResolvedCases
) AS sq
ON sq.Case_ID = rc.Case_ID
AND sq.Case_Closed_On = rc.Case_Closed_On
WHERE
COALESCE(rc.Is_ReOpened_Case,'') <> COALESCE(sq.Is_ReOpened_Case,'')
SELECT
rc.*
FROM #ResolvedCases AS rc
WHERE rc.Report_Date >= '20190319' AND rc.Report_Date < '20190326'
ORDER BY Case_ID, Case_Closed_On;
Results:
+---------+-------------------------+-------------+------------------+
| Case_ID | Case_Closed_On | Report_Date | Is_ReOpened_Case |
+---------+-------------------------+-------------+------------------+
| US1234 | 2019-03-19 12:30:45.000 | 2019-03-19 | No |
| US1234 | 2019-03-19 15:30:45.000 | 2019-03-19 | Yes |
| US1235 | 2019-03-20 09:30:45.000 | 2019-03-20 | No |
| US1235 | 2019-03-23 12:40:45.000 | 2019-03-23 | Yes |
| US1236 | 2019-03-20 12:30:45.000 | 2019-03-24 | Yes |
| US1237 | 2019-03-25 12:30:45.000 | 2019-03-25 | No |
+---------+-------------------------+-------------+------------------+
But thereafter you'll need to do something with the code that populates this table to maintain those values for future entries. That might require a two-step solution, but you'll have to decide after you review that code set. Maybe just run that UPDATE after the data load.
Has anyone got any idea how I could optimize this query so that it'll run faster? Right now it takes up to 30sec to retrieve around 3k of "containers" and thats way to long.. It's forseen that it'll have to retrieve around 1miljon records.
Query query = em().createNativeQuery("SELECT * FROM CONTAINER where TO_CHAR(CREATION_DATE, 'YYYY-MM-DD') >= TO_CHAR(:from, 'YYYY-MM-DD') " +
"AND TO_CHAR(CREATION_DATE, 'YYYY-MM-DD') <= TO_CHAR(:to, 'YYYY-MM-DD') ", Container.class);
query.setParameter("from", from);
query.setParameter("to", to);
return query.getResultList();
JPA 2.0, Oracle DB
EDIT: I've got an index on the CREATION_DATE column:
CREATE INDEX IDX_CONTAINER_CREATION_DATE
ON CONTAINER (CREATION_DATE);
it's not a named query because the TO_CHAR function doesn't seem to be supported by JPA 2.0 and I've read that it should make the query faster if there's an index..
My explain plan (still doing full table scan for some reason instead of using the index):
---------------------------------------
| Id | Operation | Name |
---------------------------------------
| 0 | SELECT STATEMENT | |
| 1 | TABLE ACCESS FULL| CONTAINER |
---------------------------------------
One fix I don't like:
I've done the following..
TypedQuery<Container> query = em().createQuery(
"SELECT NEW Container(c.barcode, c.createdBy, c.creationDate, c.owner, c.sequence, c.containerSizeBarcode, c.a, c.b, c.c) " +
"FROM Container c where c.creationDate >= :from AND c.creationDate <= :to", Container.class);
and I've added an absurdly long constructor to Container and this fixes the loading times.. But, this is really ugly and I don't want this tbh. Anyone any other suggestions?
I have a function called ClientStatus that returns a record with two fields Status_Description and Status_Date. This function receives a parameter Client_Id.
I'm trying to get the calculated client status for all the clients in the table Clients, something like:
| Client_Name | Status_Description | Status_Date |
+-------------+--------------------+-------------+
| Abc | Active | 12-12-2010 |
| Def | Inactive | 13-12-2011 |
Where Client_Name comes from the table Clients, Status_Description and Status_Date from the function result.
My first (wrong) approach was to join the table and the function like so:
SELECT c.Client_Name, cs.Status_Description, cs.Status_Date FROM Clients c
LEFT JOIN (
SELECT * FROM ClientStatus(c.ClientId) as (Status_Description text, Status_Date date)) cs
This obviously didn't work because c.ClientId could not be referenced.
Could someone explain me how can I obtain the result I am looking for?
Thanks in advance.
I think the following can give the result you expect :
SELECT c.Client_Name, d.Status_Description, d.Status_Date
FROM Clients c, ClientStatus(c.ClientId) d
I have solved my problem writing the query like this:
SELECT c.Client_Name, cs.status[1] as Description, cs.stautus[2]::date as Date
FROM (
SELECT string_to_array(translate(
(SELECT ClientStatus(ClientId))::Text, '()', ''), ',') status
FROM Clients
) cs
It is not the most elegant solution but it was the only one I could find to make this work.