Writing a PowerQuery to get the top values of a single or combination of attributes is quite straightforward. For instance, the following query returns the top log volume contributors from the account.
tag = 'logVolume' metric='logBytes'
| group total = sum(value) by host, forlogfile
| sort -total
The top rows return the most overall log volume based on the combination of hostname and logfile. However, if I am interested in getting each host's top 3 volume contributors instead, what's the query for it?
With the new Powerquery's array support, the array_agg
function enables users to get the answer.
tag = 'logVolume' metric='logBytes'
| group total = sum(value) by host, forlogfile
| sort -total
| group total_bytes = sum(total), log_files = array_agg(forlogfile, 3), byte_array = array_agg(format("%d", total), 3) by host
In this case, we get the top 3 log files that log the most data to the corresponding hosts. The first column is the hostname, the second column is the aggregate number of bytes from the top 3 log file sources, the third column is the name of the log files, and the last column is the breakdown of each file's actual log volume.
Please sign in to leave a comment.