How to remove duplicate log entries in dynamic column through KQL Query
I am trying to remove duplicate log entries from the dynamic column through KQL query. Below is the query.
let ContainerIdList = KubePodInventory
| where ContainerName contains "boss-logger"
| where Namespace has "devns"
| where ClusterId =~ '/subscriptions/abc1234-bcbd-3124-bc3a-524132fb1786645/resourcegroups/rg-aks-dev/providers/Microsoft.ContainerService/managedClusters/aksdevcluster'
| distinct ContainerID;
ContainerLog
| where ContainerID in (ContainerIdList)
| where LogEntry matches regex "ERROR"
| project LogEntry
| distinct LogEntry
However it does not removing the duplicate entries due to few characters although the error is same. please find screenshot output below.
if you see the above screenshot, "ERROR" is same but it does not getting removed due to those three characters and different timestamp.
How can we remove those duplicates based on content from ERROR: not timestamp and those three characters.
Solution
How to remove duplicate log entries in dynamic column through KQL Query
I have reproduced in my environment and got expected results as below:
Firstly, I have taken a simple table like below:
LogEntry
2023-07-23 11:40:50,076 Error[xxx]
2023-07-23 11:42:50,400 Error[yyy]
2023-07-23 11:40:50,567 Error[xxx]
2023-07-23 14:40:50,011 Error[zzz]
I have used below query:
let x = datatable(LogEntry: string)
[
"2023-07-23 11:40:50,076 Error[xxx]",
"2023-07-23 11:42:50,400 Error[yyy]",
"2023-07-23 11:40:50,567 Error[xxx]",
"2023-07-23 14:40:50,011 Error[zzz]"
];
x
| extend SplitLog = split(LogEntry, " ")
| project C1 = todatetime(SplitLog[0]), C2 =SplitLog[1],cc=SplitLog[2], C3 = tostring(SplitLog[2])
| summarize arg_max(C1,*) by C3
| project-away C3
| project C2,cc,C1= todatetime(C1)
|extend SplitLog = split(C1, "T")
| project F1 = SplitLog[0],C2=C2,C3=cc
| project LogEntry = strcat(F1, " ", C2, " ", C3, " ")
Output:
- How to run Get Kusto query using Rest API
- use range with custom field
- Azure Application Insights: How to make a nice time graph from a custom KQL query?
- KQL: bag unpack json into single row
- Is customDimension column name 'first' restricted?
- How can I get sub value in nested json via KQL?
- Kusto make-series by month
- Need suggestion to implement restrictive permissions to Kusto Tables and Functions
- KQL merge rows with the same ID into one row
- How to do a KQL time window join at millisecond granularity?
- Kusto Query replace the timestamp of duplicate rows
- Bin producing unexpected results
- How to create a whitelist with two fields in KQL with a Watchlist?
- KQL Query for Calculation of ErrorDuration within Timespan
- Add text to point(s) in Kusto linechart
- Kusto query with multiple sample values from an aggregate
- How to get data for specific date (startofweek) in a given time range in KQL?
- How can I convert TimeGenerated to TimeIngested in this KQL query for an Azure Workbook?
- multiple if and else within kql azure
- Controlling scatter chart markers in Azure Data Explorer dashboard using KQL
- Monitor HTTP traffic for Azure Web App using Log analitics and KQL query
- Defining external table kind as delta
- Kusto query map through array
- how to use or condition in kql
- KQL: Every time a word is mentioned in a column append it to a new column as a list
- KQL: Create an id column every time a value changes in column x ordered by another column y
- KQL query returns available memory but not Total Memory
- Display lines & values for whole range of y-axis values in Kusto linechart
- Kusto - fetch data from one table where matching records do not exist in another table
- KQL - extract property value from an array of JSON objects, based on the value of another property