PowerQuery users could override the timespan of a query using the combinations of filter timestamp with querystart() or queryend() function. It gives users the flexibility to specify different time ranges for the subqueries in a PowerQuery join statement.
The below example is taken from the power query documentation that shows the number of error events per minute breakdown by hostname within the specified query time range.
message contains "error"
| group eventsPerMinute = count() / queryspan("minutes") by serverHost
| sort -eventsPerMinuteTo compare the number of error events per minute in the last 5 minutes versus the last 10 minutes from all of the hosts, the following query can provide you an answer for it.
|join
a = (message contains "error" | filter timestamp > queryend() - (5 * 60 * 1_000_000_000) | group eventsPerMinute_last_5 = count() / queryspan("minutes") by serverHost | sort -eventsPerMinute_last_5),
b = (message contains "error" | filter timestamp > queryend() - (10 * 60 * 1_000_000_000) | group eventsPerMinute_last_10 = count() / queryspan("minutes") by serverHost | sort -eventsPerMinute_last_10)
on a.serverHost = b.serverHost
The query filter timestamp > queryend() - (5 * 60 * 1_000_000_000) does the trick to return the last 5 minutes of data based on the events' timestamps. This workaround solution could apply to other use cases when you need to query different time ranges in the same join statement.
Comments
0 comments
Please sign in to leave a comment.