30 Oct 2024 05:41 PM
Hi,
I was able to get the dimensions from the metrics but not directly from the logs. Here is my query
fetch logs
| filter contains(azure.resource.name, "MTH") and contains(content, "QRY_STATUS") and contains(content, "ETL-ALERT") //and loglevel == "ERROR"
| parse content, "JSON:json"
| fieldsFlatten json
| fields timestamp, azure.resource.group, APPLICATION_NAME = json.Properties[APPLICATION_NAME], QRY_STATUS = json.Properties[QRY_STATUS], PIPELINESTEPCODE = json.Properties[PIPELINESTEPCODE],
TENANT_ID = json.Properties[TENANT_ID], LEVELNUMBER = json.Properties[LEVELNUMBER], QRY_ERROR = json.Properties[QRY_ERROR]
| filter QRY_STATUS == "FAILED"
| makeTimeseries count(), interval: 1m, time: timestamp
I want to get the all the attributes in the fields in the event properties, but ,I'm not able to get those.
Any help here is highly appreciated.
Thanks
31 Oct 2024 01:33 AM
Hey @subashsagi41
It looks like because by the end of the query there are no attributes/dimensions. When using the maketimeseries command without any splits nothing from the logs is retained and the system cannot extract information where there is none. If you run this query in a notebook and visualize it with "Record List" you'll be able to see what's retained.
Also, if you're looking to create an alert based off the logs I'd recommend turning them into a metric using processing rules on ingest. This will allow for cheaper visualization and querying if you don't anticipate it changing much over time.