KQL Query to filter duplicate entries and select top 1 from the log data
I am using below query to get the container error log and filtering to remove duplicates.
let ContainerIdList = KubePodInventory
| where ContainerName contains "acc-c1-logger"
| where Namespace has "prd" | where ClusterId =~ '/subscriptions/xxxx/resourcegroups/xxxx/providers/Microsoft.ContainerService/managedClusters/aksprd'
| distinct ContainerID;
ContainerLog
| where ContainerID in (ContainerIdList)
| where LogEntry !has "SRV1174"
| where LogEntry has "| E |" or LogEntry has "| F |"
| where LogEntry !contains "the I/O interface definition of project"
| where LogEntry !contains "the I/O interface definition of cuc"
| where TimeGenerated > ago(5m)
| project LogEntrySource, LogEntry, TimeGenerated
| order by TimeGenerated desc
| top 1000 by LogEntry
| render table
| extend SplitLog = split(LogEntry, "|")
| project C1 = SplitLog[0], cc=SplitLog[1],C2 = todatetime(SplitLog[1]), C3 =
SplitLog[2], C4 = SplitLog[3], C5=SplitLog[4], logerror=SplitLog[5]
| summarize arg_max(C2,*) by tostring(logerror)
| project-away logerror
| project ERROR = strcat( cc, "|", C3, "|", C4, "|", C5, "|", logerror1)
i get following output in the error table
2024-06-27 20:43:47 | con-prc-sc | SRV2006 | E | [DB_AdviceSimulationAlerted] on project
'Advice': error while storing: During executeUpdate: Could not find prepared statement
with handle 7."
2024-06-27 20:44:00 | con-prc-sc | SRV2001 | E | Unable to connect DB
2024-06-27 20:44:47 | con-prc-sc | SRV2006 | E | [DB_AdviceSimulationAlerted] on project
'Advice': error while storing: During executeUpdate: Could not find prepared statement
with handle 9."
2024-06-27 20:45:00 | con-prc-sc | SRV2001 | E | file is missing on relative path
2024-06-27 20:45:47 | con-prc-sc | SRV2006 | E | [DB_Advice] on project
'Advice': error while storing: During executeUpdate: Could not find prepared statement
with handle 11."
the requirement is here , i need to get only top 1 from the could not fine prepared statement error along with other errors.
The Expected outcome should be
Error:
2024-06-27 20:43:47 | con-prc-sc | SRV2006 | E |
[DB_AdviceSimulationAlerted] on project
'Advice': error while storing: During executeUpdate: Could not find
prepared statement with handle 7."
2024-06-27 20:44:00 | con-prc-sc | SRV2001 | E | Unable to connect DB
2024-06-27 20:45:00 | con-prc-sc | SRV2001 | E | file is missing on
relative path
thanks in advance
Solution
You could do the following directly below your last line of your Query:
Data is only for reproducing your data.
let Data = datatable(ERROR: string)
[
"2024-06-27 20:43:47 | con-prc-sc | SRV2005 | E | [DB_AdviceSimulationAlerted] on project 'Advice': error while storing: During executeUpdate: Could not find prepared statement with handle 11.",
"2024-06-27 20:43:47 | con-prc-sc | SRV2005 | E | [DB_AdviceSimulationAlerted] on project 'Advice': error while storing: During executeUpdate: Could not find prepared statement with handle 9.",
"2024-06-27 20:43:47 | con-prc-sc | SRV2006 | E | [DB_AdviceSimulationAlerted] on project 'Advice': error while storing: During executeUpdate: Could not find prepared statement with handle 7.",
"2024-06-27 20:44:00 | con-prc-sc | SRV2001 | E | Unable to connect DB",
"2024-06-27 20:44:47 | con-prc-sc | SRV2006 | E | [DB_AdviceSimulationAlerted] on project 'Advice': error while storing: During executeUpdate: Could not find prepared statement with handle 9.",
"2024-06-27 20:45:00 | con-prc-sc | SRV2001 | E | file is missing on relative path",
"2024-06-27 20:45:47 | con-prc-sc | SRV2006 | E | [DB_Advice] on project 'Advice': error while storing: During executeUpdate: Could not find prepared statement with handle 11."
];
Data
| extend type = tostring(split(ERROR, "|")[2])
| extend ts = tostring(split(ERROR, "|")[0])
| extend message = tostring(split(ERROR, "|")[4])
| extend type = iff(message contains "Could not find prepared statement with handle", "A", strcat(type, message))
| order by type desc, ts desc
| extend HasPrev = prev(type) == type
| where HasPrev == false
| project ERROR
Result:
- Column contains text contains other column
- Kql function to append columns
- Applying a KQL query to the transform_kql parameter through terraform
- KQL query to list the secrets and keys in keyvault that are expired or going to expire in 7 days
- Monitor HTTP traffic for Azure Web App using Log analytics and KQL query
- How to hide or change legend in "Run query and visualize results" logic app function?
- How to calculate time difference between the latest entries of two indirectly tables in Kusto (KQL)?
- Calculate the number of overlapping days for each device using KQL
- How good is performance of "has" operator in Kusto when RHS is not exactly one term?
- how to retrieve all resources under given subnet using Azure Resource Graph Explorer query
- Count how many elements are in an array created by make_set in kusto language
- Inserting data in KQL
- Stuck at PIM Diagnostics via KQL
- union with all fields
- How to create an Alert for Data Collection Rule deletion across all VMs in a subscription?
- Are joins within the same cluster consistent and isolated in Azure Data Explore?
- How to run Get Kusto query using Rest API
- use range with custom field
- Azure Application Insights: How to make a nice time graph from a custom KQL query?
- KQL: bag unpack json into single row
- Is customDimension column name 'first' restricted?
- How can I get sub value in nested json via KQL?
- ADX - KQL: Conditionally Extending Property Columns from Dynamic Column
- Kusto make-series by month
- Need suggestion to implement restrictive permissions to Kusto Tables and Functions
- KQL merge rows with the same ID into one row
- How to do a KQL time window join at millisecond granularity?
- Kusto Query replace the timestamp of duplicate rows
- Bin producing unexpected results
- How to create a whitelist with two fields in KQL with a Watchlist?