Azure App Insights 每周识别 500 错误代码趋势
Azure App Insights to identify 500 Error code Trend week over week
我正在尝试在 Azure App Insights 上为我们收到的每个 Cloud_RoleName 具有唯一类型的所有 500 错误创建一个图表。我想做的是显示每周和每月的趋势,看看我们是否获得了与前一周的数据相比的新 TYPES of 500 Error。基本上每周对 500 个错误进行趋势分析。
我尝试了以下查询:-
requests
| where resultCode =="500" and timestamp > ago(1d)
| join (exceptions) on operation_Id
| summarize by type, cloud_RoleName
据我了解将return仅按类型汇总的前 1 天数据出现 500 错误。不幸的是,我无法形成查询来获取一周又一周的趋势数据。对此 KQL 有任何帮助吗?
<> 在 Yoni 的回复之后,我发现了一个博客,其中为安全事件生成了趋势图,所以我继续使用博客中的查询并在此处创建它..但仍然不确定我是否得到了我想要的。 .maybe some1 can modify this query..as all I want is from Exception and REquest table 每周 cloud_roleName https://microsoftonlineguide.blogspot.com/2018/05/detect-malicious-activity-using-azure.html?showComment=1561507971564#c5650649192825890878
新 500 错误类型的趋势
let T=requests
| where resultCode =="500" and timestamp > ago(30d)
| join (exceptions) on operation_Id
| summarize by type, cloud_RoleName, Date = startofday(timestamp);
T
| evaluate activity_counts_metrics(type,Date, startofday(ago(30d)), startofday(now()), 1d, type, cloud_RoleName)
| extend WeekDate = startofweek(Date)
| project WeekDate, Date, type, PotentialAnomalyCount = new_dcount, cloud_RoleName
| join kind= inner
(
T
| evaluate activity_engagement(type, Date, startofday(ago(30d)), startofday(now()),1d, 7d)
| extend WeekDate = startofweek(Date)
| project WeekDate, Date, Distribution1day = dcount_activities_inner, Distribution7days = dcount_activities_outer, Ratio = activity_ratio*100
)
on WeekDate, Date
| where PotentialAnomalyCount == 1 and Ratio < 100
| project WeekDate, Date, type, cloud_RoleName, PotentialAnomalyCount, Distribution1day, Distribution7days, Ratio
| render barchart kind=stacked
在不了解您的数据及其结构的情况下回复有点困难。
就是说,这里尝试使用 built-in activity_counts_metrics 插件 (link to doc):
根据您问题中的口头描述来回答
datatable(day:datetime, result_code:int)
[
datetime(2019-05-01), 500,
datetime(2019-05-10), 500,
datetime(2019-05-20), 500,
datetime(2019-06-01), 500,
datetime(2019-06-02), 500,
datetime(2019-06-03), 501,
datetime(2019-06-04), 500,
datetime(2019-06-05), 500,
datetime(2019-06-06), 500,
datetime(2019-06-07), 500,
datetime(2019-06-08), 500,
datetime(2019-06-09), 500,
datetime(2019-06-10), 500,
datetime(2019-06-11), 500,
datetime(2019-06-12), 500,
datetime(2019-06-13), 502,
datetime(2019-06-14), 500,
]
| evaluate activity_counts_metrics(result_code, day, ago(60d), now(), 'week')
// try using 'month' too, instead of 'week'
这个returns:
| day | count | dcount | new_dcount | aggregated_dcount |
|-----------------------------|-------|--------|------------|-------------------|
| 2019-04-28 00:00:00.0000000 | 1 | 1 | 1 | 1 |
| 2019-05-05 00:00:00.0000000 | 1 | 1 | 1 | 1 |
| 2019-05-19 00:00:00.0000000 | 1 | 1 | 1 | 1 |
| 2019-05-26 00:00:00.0000000 | 1 | 1 | 1 | 1 |
| 2019-06-02 00:00:00.0000000 | 7 | 2 | 2 | 2 |
| 2019-06-09 00:00:00.0000000 | 6 | 2 | 2 | 2 |
其中:
TimelineColumn: The time window [week/month/etc.] start time.
count: The total records count in the time window.
dcount: The distinct ID values count in the time window.
new_dcount: The distinct ID values in the time window and compared to all previous time windows.
aggregated_dcount: The total aggregated distinct ID values from the 1st time window to the current (inclusive).
如果您有兴趣查看实际的不同代码(根据 week/month),以下内容可以为您指明方向:
datatable(day:datetime, result_code:int)
[
datetime(2019-05-01), 500,
datetime(2019-05-10), 500,
datetime(2019-05-20), 500,
datetime(2019-06-01), 500,
datetime(2019-06-02), 500,
datetime(2019-06-03), 501,
datetime(2019-06-04), 500,
datetime(2019-06-05), 500,
datetime(2019-06-06), 500,
datetime(2019-06-07), 500,
datetime(2019-06-08), 500,
datetime(2019-06-09), 500,
datetime(2019-06-10), 500,
datetime(2019-06-11), 500,
datetime(2019-06-12), 500,
datetime(2019-06-13), 502,
datetime(2019-06-14), 500,
]
| summarize distinct_codes = make_set(result_code) by startofweek(day)
| extend distinct_codes_count = array_length(distinct_codes)
这个returns:
| start_of_week | distinct_codes | distinct_codes_count |
|-----------------------------|----------------|----------------------|
| 2019-04-28 00:00:00.0000000 | 500 | 1 |
| 2019-05-05 00:00:00.0000000 | 500 | 1 |
| 2019-05-19 00:00:00.0000000 | 500 | 1 |
| 2019-05-26 00:00:00.0000000 | 500 | 1 |
| 2019-06-02 00:00:00.0000000 | 500, 501 | 2 |
| 2019-06-09 00:00:00.0000000 | 500, 502 | 2 |
我正在尝试在 Azure App Insights 上为我们收到的每个 Cloud_RoleName 具有唯一类型的所有 500 错误创建一个图表。我想做的是显示每周和每月的趋势,看看我们是否获得了与前一周的数据相比的新 TYPES of 500 Error。基本上每周对 500 个错误进行趋势分析。 我尝试了以下查询:-
requests
| where resultCode =="500" and timestamp > ago(1d)
| join (exceptions) on operation_Id
| summarize by type, cloud_RoleName
据我了解将return仅按类型汇总的前 1 天数据出现 500 错误。不幸的是,我无法形成查询来获取一周又一周的趋势数据。对此 KQL 有任何帮助吗?
<> 在 Yoni 的回复之后,我发现了一个博客,其中为安全事件生成了趋势图,所以我继续使用博客中的查询并在此处创建它..但仍然不确定我是否得到了我想要的。 .maybe some1 can modify this query..as all I want is from Exception and REquest table 每周 cloud_roleName https://microsoftonlineguide.blogspot.com/2018/05/detect-malicious-activity-using-azure.html?showComment=1561507971564#c5650649192825890878
新 500 错误类型的趋势let T=requests
| where resultCode =="500" and timestamp > ago(30d)
| join (exceptions) on operation_Id
| summarize by type, cloud_RoleName, Date = startofday(timestamp);
T
| evaluate activity_counts_metrics(type,Date, startofday(ago(30d)), startofday(now()), 1d, type, cloud_RoleName)
| extend WeekDate = startofweek(Date)
| project WeekDate, Date, type, PotentialAnomalyCount = new_dcount, cloud_RoleName
| join kind= inner
(
T
| evaluate activity_engagement(type, Date, startofday(ago(30d)), startofday(now()),1d, 7d)
| extend WeekDate = startofweek(Date)
| project WeekDate, Date, Distribution1day = dcount_activities_inner, Distribution7days = dcount_activities_outer, Ratio = activity_ratio*100
)
on WeekDate, Date
| where PotentialAnomalyCount == 1 and Ratio < 100
| project WeekDate, Date, type, cloud_RoleName, PotentialAnomalyCount, Distribution1day, Distribution7days, Ratio
| render barchart kind=stacked
在不了解您的数据及其结构的情况下回复有点困难。
就是说,这里尝试使用 built-in activity_counts_metrics 插件 (link to doc):
datatable(day:datetime, result_code:int)
[
datetime(2019-05-01), 500,
datetime(2019-05-10), 500,
datetime(2019-05-20), 500,
datetime(2019-06-01), 500,
datetime(2019-06-02), 500,
datetime(2019-06-03), 501,
datetime(2019-06-04), 500,
datetime(2019-06-05), 500,
datetime(2019-06-06), 500,
datetime(2019-06-07), 500,
datetime(2019-06-08), 500,
datetime(2019-06-09), 500,
datetime(2019-06-10), 500,
datetime(2019-06-11), 500,
datetime(2019-06-12), 500,
datetime(2019-06-13), 502,
datetime(2019-06-14), 500,
]
| evaluate activity_counts_metrics(result_code, day, ago(60d), now(), 'week')
// try using 'month' too, instead of 'week'
这个returns:
| day | count | dcount | new_dcount | aggregated_dcount |
|-----------------------------|-------|--------|------------|-------------------|
| 2019-04-28 00:00:00.0000000 | 1 | 1 | 1 | 1 |
| 2019-05-05 00:00:00.0000000 | 1 | 1 | 1 | 1 |
| 2019-05-19 00:00:00.0000000 | 1 | 1 | 1 | 1 |
| 2019-05-26 00:00:00.0000000 | 1 | 1 | 1 | 1 |
| 2019-06-02 00:00:00.0000000 | 7 | 2 | 2 | 2 |
| 2019-06-09 00:00:00.0000000 | 6 | 2 | 2 | 2 |
其中:
TimelineColumn: The time window [week/month/etc.] start time.
count: The total records count in the time window.
dcount: The distinct ID values count in the time window.
new_dcount: The distinct ID values in the time window and compared to all previous time windows.
aggregated_dcount: The total aggregated distinct ID values from the 1st time window to the current (inclusive).
如果您有兴趣查看实际的不同代码(根据 week/month),以下内容可以为您指明方向:
datatable(day:datetime, result_code:int)
[
datetime(2019-05-01), 500,
datetime(2019-05-10), 500,
datetime(2019-05-20), 500,
datetime(2019-06-01), 500,
datetime(2019-06-02), 500,
datetime(2019-06-03), 501,
datetime(2019-06-04), 500,
datetime(2019-06-05), 500,
datetime(2019-06-06), 500,
datetime(2019-06-07), 500,
datetime(2019-06-08), 500,
datetime(2019-06-09), 500,
datetime(2019-06-10), 500,
datetime(2019-06-11), 500,
datetime(2019-06-12), 500,
datetime(2019-06-13), 502,
datetime(2019-06-14), 500,
]
| summarize distinct_codes = make_set(result_code) by startofweek(day)
| extend distinct_codes_count = array_length(distinct_codes)
这个returns:
| start_of_week | distinct_codes | distinct_codes_count |
|-----------------------------|----------------|----------------------|
| 2019-04-28 00:00:00.0000000 | 500 | 1 |
| 2019-05-05 00:00:00.0000000 | 500 | 1 |
| 2019-05-19 00:00:00.0000000 | 500 | 1 |
| 2019-05-26 00:00:00.0000000 | 500 | 1 |
| 2019-06-02 00:00:00.0000000 | 500, 501 | 2 |
| 2019-06-09 00:00:00.0000000 | 500, 502 | 2 |