This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
DQL
Questions about Dynatrace Query Language
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

makeTimeseries in DQL with lookupField

Go to solution
scholcia
Newcomer

‎04 Feb 2026 10:01 AM - last edited on ‎11 Feb 2026 06:34 AM by Community Team

How to create makeTimeseries  in this DQL to be able to create alert from it :

timeseries { uptime = avg(com.dynatrace.extension.network_device.sysuptime), by: { `dt.entity.network:device` }, interval:1m }
| fieldsAdd status = if(isNotNull(uptime[-5]), 0, else: 1)| fieldsRename device=`dt.entity.network:device`
| lookup [
fetch `dt.entity.network:device`
| expand tags
], lookupField:id, sourceField:device
| filter isNotNull(lookup.id)
| fields timeframe, interval, status, device, lookup.tags

Labels:
0 Kudos
Reply
5 REPLIES 5

Go to solution
t_pawlak
Leader

‎04 Feb 2026 10:16 AM

Hi,
To create a DQL-based custom alert, the query must output a numeric timeseries column array. 
I think that in your case status is currently computed not as a array because you use uptime[-5].
Try this:

timeseries {
  uptime = avg(com.dynatrace.extension.network_device.sysuptime),
  by: { `dt.entity.network:device` },
  interval: 1m
}
| fieldsAdd status = if(isNotNull(uptime[]), 0, else: 1)
| fieldsRename device = `dt.entity.network:device`
| lookup [
    fetch `dt.entity.network:device`
    | expand tags
  ], lookupField: id, sourceField: device
| filter isNotNull(lookup.id)
| fields timeframe, interval, status, device, lookup.tags

status as a 0/1 timeseries.
Then in alert select status

0 Kudos
Reply

Go to solution
scholcia
Newcomer

‎04 Feb 2026 10:36 AM

Thanks a lot it works however I need to exclude last value from array 'uptime' because in each case is "null" so that my alert will be useless.

0 Kudos
Reply

Go to solution
t_pawlak
Leader

‎04 Feb 2026 11:08 AM

Yeah, you can drop the last (incomplete) bucket using to:-1m, but in this case you need to use from too.
This is what I mean:

timeseries {
  uptime = avg(com.dynatrace.extension.network_device.sysuptime),
  by: { `dt.entity.network:device` },
  interval: 1m,
  from: -60m,
  to: -1m
}
| fieldsAdd status = if(isNotNull(uptime[]), 0, else: 1)
| fieldsRename device = `dt.entity.network:device`
| lookup [
    fetch `dt.entity.network:device`
    | expand tags
  ], lookupField: id, sourceField: device
| filter isNotNull(lookup.id)
| fields timeframe, interval, status, device, lookup.tags

thanks to that you will drop the trailing null bucket



Reply

Go to solution
t_pawlak
Leader
In response to t_pawlak

‎04 Feb 2026 11:09 AM

In documentation I found that you can use arrayLast(uptime) - it returns the last non-null element
Array functions 

0 Kudos
Reply

Go to solution
scholcia
Newcomer

‎04 Feb 2026 11:18 AM

thanks, that's perfect solution !

Reply
Ask a question

Featured Posts