When you do this:
| summarize count(), by:{dimension}the only fields which survive directly such operation are the ones listed in by: parameter and these created by expressions listed after summarize. So there is no possibility to put anything back.
I prepared some example data which create timeseries resembling what you have :
data
record(timestamp=now(), v=1, dimension=array("a","b")),
record(timestamp=now()-1m, v=2, dimension=array("a","b")),
record(timestamp=now(), v=3, dimension=array("b")),
record(timestamp=now()-1m, v=1, dimension=array("b")),
record(timestamp=now(), v=4, dimension=array("c")),
record(timestamp=now()-1m, v=2, dimension=array("c")),
record(timestamp=now()-2m, v=2, dimension=array("c")),
record(timestamp=now(), v=1, dimension=array("c","b")),
record(timestamp=now()-1m, v=2, dimension=array("c","b")),
record(timestamp=now()-2m, v=2, dimension=array("c","b"))
| makeTimeseries {log.metric=sum(v)}, by:{dimension}, from: now()-5m, interval: 1m
As I understand the goal is to count over time how many times each element of array being dimension was present in data. This query is calculating this:
data
record(timestamp=now(), v=1, dimension=array("a","b")),
record(timestamp=now()-1m, v=2, dimension=array("a","b")),
record(timestamp=now(), v=3, dimension=array("b")),
record(timestamp=now()-1m, v=1, dimension=array("b")),
record(timestamp=now(), v=4, dimension=array("c")),
record(timestamp=now()-1m, v=2, dimension=array("c")),
record(timestamp=now()-2m, v=2, dimension=array("c")),
record(timestamp=now(), v=1, dimension=array("c","b")),
record(timestamp=now()-1m, v=2, dimension=array("c","b")),
record(timestamp=now()-2m, v=2, dimension=array("c","b"))
| makeTimeseries {log.metric=sum(v), timestamp=start()}, by:{dimension}, from: now()-5m, interval: 1m
| expand dimension
| fieldsAdd d=record(timestamp=timestamp[], log.metric=log.metric[])
| expand d
| filterOut isNull(d[log.metric])
| makeTimeseries count(), by: {dimension}, time:d[timestamp], from:now()-5m, interval: 1mIn order to have time we need to use start() function which creates timeseries with timestamps and associate each datapoint with timestamp. I assumed that you do not want to count when metric value was null (data not present)
Result looks like this:
I hope it helps
Kris
Featured Posts
