Showing results for 
Show  only  | Search instead for 
Did you mean: 

Get all problems for a specific tag ("Application") on a service and a specific tag on a host ("Environment")


Been trying to work out a DQL to get all the problems from events where the service with the problem is filtered on a custom tag called "Application", and where the host the service runs on is filtered on a custom tag called "Environment".

Been working with support, but they suggested asking here for additional help. So far I have this query:

fetch events
| filter event.kind == "DAVIS_PROBLEM"
| lookup sourceField:runs_on[], lookupField:id, fields:{ =}
| fieldsAdd entity.type, lifetime, tags
| filter matchesValue(entity_tags,"Application:ContractHub")
| filter event.status != "CLOSED"
| summarize Problems = count()

 However, I am getting a syntax error on the lookup section:

There aren't enough parameters for command `lookup`. 1 mandatory parameter is missing: lookupTable. lookupTable: Sub-query for records with fields to add or overwrite in the input.

I don't see a "lookupTable" argument in the docs (, so not sure what to change



Featured Posts