04 Oct 2024 09:13 AM
Hi All,
I have created a timeseries DQL for a dashboard and I have got so far and I'm now stuck. It produces a line chart for me, but I need the CountofRecords to be one value per 30 min interval (see attached image).
timeseries interval:30m, Requests = sum(log.application),by: {event.original, application}
| parse event.original, """LD '@mt":' LD:mt ',' """
| filter matchesPhrase(application, "API")
| filter matchesPhrase(mt, "Get request received")
| fieldsAdd CountofRecords=arraymovingSum(Requests, 30)
Any help would be appreciated.
Solved! Go to Solution.
04 Oct 2024 09:24 AM
Hi @Gib80
How about this query:
timeseries interval:30m, Requests = sum(log.application),by: {event.original, application}, filter: matchesPhrase(application, "API")
| parse event.original, """LD '@mt":' LD:mt ',' """
| filter matchesPhrase(mt, "Get request received")
| summarize
CountofRecords = sum(Requests[])
interval = takeAny(interval),
timeframe = takeAny(timeframe)
| fieldsAdd CountofRecordsMoving=arraymovingSum(CountofRecords, 30)
I am not sure why you are using the arrayMovingSum function
Best,
Sini
04 Oct 2024 09:35 AM
Perfect, that worked brilliantly! Thank you.