...
Computes the different type of URLs that their average time took between 100-300, 300-400 and 400-500 milliseconds based on the time-taken log field.
Example 4:
* in log.process | avg memory | interval 10 minutes | execute MB = column.Avg; if (result == NULL) then (result=""); diff=0; if (previous != NULL && (MB - previous) > 100) then (diff = MB - previous); key=""; if (diff > 0) then (key = previousTime + ";" + column.time + ";" + format(previous) + ";" + format(MB)); if (diff > 0) then (result = mapput(result, key, format(diff))); previous = MB; previousTime= column.time; result as Start of Time Slot, End of Time Slot , Min Memory, Max Memory, Memory Difference
Computes the difference of an average value in more than 100 units in a 10 minutes time slot - for example increase of more than 100 MB in memory in less than 10 minutes based on performance log.
Example 5:
* in log.LOG_NAME | execute if (total == NULL) then (total = 0); if (count == NULL) then (count = 0);if (column.COLUMN_NAME == COLUMN_VALUE) then (count = count + 1); total = total + 1;(count/total)*100
Computes the percentages of the value COLUMN_VALUE in the log column COLUMN_NAME out of all events in the log LOG_NAME
- Same query with 10% (for example) threshold for monitoring. I.E. if the value COLUMN_VALUE in the log column COLUMN_NAME out of all events in the log LOG_NAME is greater than 10% it will return a result:
* in log.LOG_NAME | execute if (total == NULL) then (total = 0); if (count == NULL) then (count = 0);if (column.COLUMN_NAME == COLUMN_VALUE) then (count = count + 1); total = total + 1;(count/total)*100 | where value > 10