Writing a PowerQuery to get the top values of a single or combination of attributes is quite straightforward. For instance, the following query returns the top log volume contributors from the account.
tag = 'logVolume' metric='logBytes'
| group total = sum(value) by host, forlogfile
| sort -total
The top rows return the most overall log volume based on the combination of hostname and logfile. However, if I am interested in getting each host's top 3 volume contributors instead, what's the query for it?
With the new Powerquery's array support, the array_agg
function enables users to get the answer.
tag = 'logVolume' metric='logBytes'
| group total = sum(value) by host, forlogfile
| sort -total
| group total_bytes = sum(total), log_files = array_agg(forlogfile, 3), byte_array = array_agg(format("%d", total), 3) by host
In this case, we get the top 3 log files that log the most data to the corresponding hosts. The first column is the hostname, the second column is the aggregate number of bytes from the top 3 log file sources, the third column is the name of the log files, and the last column is the breakdown of each file's actual log volume.
Comments
0 comments
Please sign in to leave a comment.