KQL Query to filter duplicate entries and select top 1 from the log data
I am using below query to get the container error log and filtering to remove duplicates.
let ContainerIdList = KubePodInventory
| where ContainerName contains "acc-c1-logger"
| where Namespace has "prd" | where ClusterId =~ '/subscriptions/xxxx/resourcegroups/xxxx/providers/Microsoft.ContainerService/managedClusters/aksprd'
| distinct ContainerID;
ContainerLog
| where ContainerID in (ContainerIdList)
| where LogEntry !has "SRV1174"
| where LogEntry has "| E |" or LogEntry has "| F |"
| where LogEntry !contains "the I/O interface definition of project"
| where LogEntry !contains "the I/O interface definition of cuc"
| where TimeGenerated > ago(5m)
| project LogEntrySource, LogEntry, TimeGenerated
| order by TimeGenerated desc
| top 1000 by LogEntry
| render table
| extend SplitLog = split(LogEntry, "|")
| project C1 = SplitLog[0], cc=SplitLog[1],C2 = todatetime(SplitLog[1]), C3 =
SplitLog[2], C4 = SplitLog[3], C5=SplitLog[4], logerror=SplitLog[5]
| summarize arg_max(C2,*) by tostring(logerror)
| project-away logerror
| project ERROR = strcat( cc, "|", C3, "|", C4, "|", C5, "|", logerror1)
i get following output in the error table
2024-06-27 20:43:47 | con-prc-sc | SRV2006 | E | [DB_AdviceSimulationAlerted] on project
'Advice': error while storing: During executeUpdate: Could not find prepared statement
with handle 7."
2024-06-27 20:44:00 | con-prc-sc | SRV2001 | E | Unable to connect DB
2024-06-27 20:44:47 | con-prc-sc | SRV2006 | E | [DB_AdviceSimulationAlerted] on project
'Advice': error while storing: During executeUpdate: Could not find prepared statement
with handle 9."
2024-06-27 20:45:00 | con-prc-sc | SRV2001 | E | file is missing on relative path
2024-06-27 20:45:47 | con-prc-sc | SRV2006 | E | [DB_Advice] on project
'Advice': error while storing: During executeUpdate: Could not find prepared statement
with handle 11."
the requirement is here , i need to get only top 1 from the could not fine prepared statement error along with other errors.
The Expected outcome should be
Error:
2024-06-27 20:43:47 | con-prc-sc | SRV2006 | E |
[DB_AdviceSimulationAlerted] on project
'Advice': error while storing: During executeUpdate: Could not find
prepared statement with handle 7."
2024-06-27 20:44:00 | con-prc-sc | SRV2001 | E | Unable to connect DB
2024-06-27 20:45:00 | con-prc-sc | SRV2001 | E | file is missing on
relative path
thanks in advance
Solution
You could do the following directly below your last line of your Query:
Data is only for reproducing your data.
let Data = datatable(ERROR: string)
[
"2024-06-27 20:43:47 | con-prc-sc | SRV2005 | E | [DB_AdviceSimulationAlerted] on project 'Advice': error while storing: During executeUpdate: Could not find prepared statement with handle 11.",
"2024-06-27 20:43:47 | con-prc-sc | SRV2005 | E | [DB_AdviceSimulationAlerted] on project 'Advice': error while storing: During executeUpdate: Could not find prepared statement with handle 9.",
"2024-06-27 20:43:47 | con-prc-sc | SRV2006 | E | [DB_AdviceSimulationAlerted] on project 'Advice': error while storing: During executeUpdate: Could not find prepared statement with handle 7.",
"2024-06-27 20:44:00 | con-prc-sc | SRV2001 | E | Unable to connect DB",
"2024-06-27 20:44:47 | con-prc-sc | SRV2006 | E | [DB_AdviceSimulationAlerted] on project 'Advice': error while storing: During executeUpdate: Could not find prepared statement with handle 9.",
"2024-06-27 20:45:00 | con-prc-sc | SRV2001 | E | file is missing on relative path",
"2024-06-27 20:45:47 | con-prc-sc | SRV2006 | E | [DB_Advice] on project 'Advice': error while storing: During executeUpdate: Could not find prepared statement with handle 11."
];
Data
| extend type = tostring(split(ERROR, "|")[2])
| extend ts = tostring(split(ERROR, "|")[0])
| extend message = tostring(split(ERROR, "|")[4])
| extend type = iff(message contains "Could not find prepared statement with handle", "A", strcat(type, message))
| order by type desc, ts desc
| extend HasPrev = prev(type) == type
| where HasPrev == false
| project ERROR
Result:
- Creating KQL query to get Azure VMs not patched since 30days
- Create a function to calculate power of tens with a loop and reuse them in another query
- Azure Resource Graph - Database sizes
- KQL Query to filter duplicate entries and select top 1 from the log data
- Generate Chart by Type and State
- Azure Data Explorer C# querying and ORM
- How to find non distinct/duplicate messages in Azure Application Insights?
- Kusto query for time between records by group in one result list
- Application Insights KQL query - not in sub query
- Logic Apps copy action gives: The managed identity used with this operation no longer exists. To continue, set up an identity or change the connection
- Get all types of resources in a resource group
- insert an array in column of the kql table
- Stuck at PIM Diagnostics via KQL
- In Azure log analytics - where are the delete queries in KQL?
- Get the difference between Successive timestamps KQL
- Grouping on the basis of cumulative sum
- Check two different tables
- Is it possible to group rows programmatically in KQL?
- How could I parse the json array in Kusto?
- How to use table alias in KQL query
- How do I create an Azure workbook that accepts a time range in UTC?
- Azure Resource Graph Explorer :: list all VMs with number of cores
- Restrict all table and function except specific table
- Extract query string from url
- how to convert the rows into columns in Azure Data Explorer (Kusto)
- String function not parsing all characters
- free disk space overview using InsightsMetrics
- Query Azure Resource Graph and get a list of all the application registration that contains "test"
- Time difference between separate rows in same table
- How can I default a KQL Defender Vulnerability Summary to zero?