I have a query that retrieves success rate of a service from Kusto logs.
The query collects a sample span ID with take_anyif(spanId, success!="true"), but I want to collect 3 span IDs.
logsTable
| where timestamp > ago(1h)
| summarize allCount=count(), okCount=sumif(1, success == ""True""), sampleSpanId=take_anyif(spanId, success != ""True"") by name
| extend okRate=round(todouble(okCount*100)/allCount, 4)
| project name, sampleSpanId, okRate
This produces a table with 3 columns. I want to keep the 3 columns, but have sampleSpanId contain 3 different comma-separated sample span IDs
You can use make_set_if with a size limit of 3: make_set_if(spanId, success != "True", 3).
logsTable
| where timestamp > ago(1h)
| summarize allCount=count(), okCount=sumif(1, success == "True"), sampleSpanIds=make_set_if(spanId, success != "True", 3) by name
| extend okRate=round(todouble(okCount*100)/allCount, 4)
| project name, sampleSpanIds, okRate
The above query produces output similar to this:
GET/, ["123","456","789"], 99.85
DELETE/, ["abc","def","876"], 100.0