4/19/2023 0 Comments Kusto summarize![]() The performance gain for case sensitivity is a bit smaller when using the has operator. To add case sensitivity we can use the _cs. Where the equal operator is case sensitive, the has operator is case insensitive. | where LogEntry = "Process is terminating due to StackOverflowException. I think someone should take a look at aks-agentpool-13012534-1 for the log entry: “Process is terminating due to StackOverflowException.” Let’s make sure that the terminating error is not in the other pools. ![]() | summarize count() by Computer, LogEntry This way we can get a feeling about how mine times a certain log entry was logged on one of the two agent pools. Since the query only returns a lot of lines, we will improve it by summarizing the results by Computer and LogEntry. We can query on both by using the has operator. We have queried aks-agentpool-13012534-1, but there is also aks-agentpool-13012534-0. This is not a scientific test, but it does show that a simple query can be 20% faster if you can be case sensitive. | count Case insensitive search in seconds So what about the performance? I have compared the following 2 queries by running them 5 times: ContainerLog We can also do a not equal case insensitive with the following string operator: !~ But we can also use the equal operator case insensitive. In the earlier query, we summarized the names and saw that all the names were in lower case. ![]() If we want to query 10 records where Computer is not aks-agentpool-13012534-1 we will use the following not equal query: ContainerLog To do this we will use the equal operator. The next step is to query 10 random records to view the contents. So the Computer with the largest log count is the aks-agentpool-13012534-1. Today the largest $table is the ContainerLog so let’s see which Computers are reporting container data. So we have a lot of data, but how many tables do we have? search *Īnd which tables do we have and can we also sort them by count in descending order? search * For the demo we will change the time range to 7 days and run the following search: search * If we open the environment we have to sign in with a Microsoft account. The time limit for queries is 10 minutes, and there are also limits on the amount of data a query can return. The importance of performance and optimizing queries comes from the limits in the Log Analytics. Because this blog post will also be about performance we want to use bigger data set in the form of the Log Analytics Demo environment. In the SQL to KQL blog post, we used the evaluation data of the MITRE ATP29 test to test our queries. The basic string operators that we can use are: We will also learn some basic queries to discover the amount of data in a Log Analytics Workspace. In this blog post, we will learn which string operator to use and when to use.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |