This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Converting DQL into timeseries

Go to solution
AK
Pro

‎17 Sep 2024 08:20 PM

Hello Folks,

Need some help in converting following query into timeseries as I wanted to use it in Davis anomaly detection.

Is it possible?

 

fetch logs, from:now() - 4h
| filter contains(dt.process.name, "process_name")
| filter contains (content, "Error when user:")
| parse content, "JSON:json"
| parse json[log],  "LD ': ' LD:user_id ' - ' LD ': ' BOOL:userid_generated LD ': ' BOOL:userid_is_not_NULL"
| fields timestamp, log = json[log], user_id, userid_generated, userid_is_not_NULL, user_type = json[`user-type`]
| summarize requestId = collectDistinct(user_id), by:{bin(timestamp,1m), log, userid_generated, userid_is_not_NULL, user_type}

 

Regards,

AK

0 Kudos
Reply
5 REPLIES 5

Go to solution
Fin_Ubels
Dynatrace Champion
Dynatrace Champion

‎17 Sep 2024 11:28 PM

Hi AK,

I would look at using the makeTimeseries command instead of summarize as documented here https://docs.dynatrace.com/docs/shortlink/aggregation-commands#makeTimeseries. The third example on that page would likely be the best fit for you. It would probably look something like:

fetch logs, from:now() - 4h
| filter contains(dt.process.name, "process_name")
| filter contains (content, "Error when user:")
| parse content, "JSON:json"
| parse json[log],  "LD ': ' LD:user_id ' - ' LD ': ' BOOL:userid_generated LD ': ' BOOL:userid_is_not_NULL"
| fields timestamp, log = json[log], user_id, userid_generated, userid_is_not_NULL, user_type = json[`user-type`]
| makeTimeseries count(), by:{log, userid_generated, userid_is_not_NULL, user_type}

I would however recommend first turning it into a metric on ingest so that you aren't constantly querying logs for anomaly detection. This would also allow you to reuse the metric on dashboards or in notebooks more easily as well. Docs for that can be found here: https://docs.dynatrace.com/docs/platform/openpipeline/use-cases/tutorial-log-processing-pipeline

Reply

Go to solution
AK
Pro
In response to Fin_Ubels

‎18 Sep 2024 04:14 PM

@Fin, thank you for the query, its working fine.

Is it possible to use collectDistinct to collect distinct values of user_id under makeTimeseries

Regards,

AK

0 Kudos
Reply

Go to solution
Fin_Ubels
Dynatrace Champion
Dynatrace Champion
In response to AK

‎19 Sep 2024 12:40 AM

Good to hear!
If you want user_id to be one of the dimensions, then you would include it in the by:{} section. Is that what you're looking for?

0 Kudos
Reply

Go to solution
AK
Pro
In response to Fin_Ubels

‎19 Sep 2024 07:39 AM

No, if you take a look at summarize command, there we are trying to collect distinct userIds and all other fields are under "by" section, can we do the same with makeTimeseries

summarize requestId = collectDistinct(user_id),by:{bin(timestamp,1m), log, userid_generated, userid_is_not_NULL, user_type}
0 Kudos
Reply

Go to solution
krzysztof_hoja
Dynatrace Pro
Dynatrace Pro
In response to AK

‎19 Sep 2024 03:27 PM

makeTimeseries command produces arrays of numbers (track changes of metric value over time), so it will not work with collectDistinct as it produces array of unique user_id values.
What would make sense to have metric "number of unique user_id values" over time. Then you should use countDistinctExact or countDistinctApprox function.

Kris

Reply
Ask a question

Featured Posts