Use `make-series` operator without defining exact date range

Asked 9/9, 2019 at 14:18 Answered 21/7, 2022 at 10:3

Solved azure azure-application-insights azure-data-explorer kql

I am using make-series to create an error dashboard showing events over a given period at a specified interval like so:

make-series dcount(id) default=0 on timestamp from ago(30d) to now() step 8h

This works great, and displays the data as expected. However this specifies an exact date range (30 days ago to now), and I would like to make this use the time range picked by the user on the dashboard (24 hours, 48 hours, etc.).

I know it is possible to get this behavior using summarize, however summarize does not easily allow for setting a default value of zero per timestamp bin (as far as I know).

Is it possible to use the make-series operator without defining a hardcoded date range, and instead use the time range set for a dashboard?

Cyndie answered 9/9, 2019 at 14:18 Comment(0)

Unfortunately, it is impossible as of now.

You can take a look at this user feedback and upvote for it: Retrieve the portal time span and use it inside the kusto query.

Tactics answered 10/9, 2019 at 1:55 Comment(5)

Thanks for the link, I added a few upvotes. Very surprised that this is not possible already – Cyndie 10/9, 2019 at 14:15

I would LOVE this functionality. Would be so useful for alert rule queries where the date range is defined outside the query. Would love to see functions like queryFrom and queryTo. – Sheffield 12/9, 2019 at 13:0

The user feedback link is broken now, here's the correct link: feedback.azure.com/d365community/idea/… 186 votes now. – Mccready 5/4, 2022 at 14:4

@Mccready unfortunately I can't access to that link either :( +1 for geting this feature, this will allow you to improve so much the data displayed and matching ranges for every chart – Hypnotic 16/3, 2023 at 10:35

Updated link here and it is marked as completed. However doesn't work for me feedback.azure.com/d365community/idea/… – Tinker 11/8, 2023 at 15:25

Whilst this is not officially supported (i.e. there is no variable you can use to retrieve the values), you can work around this with a bit of a hack.

For context, I am displaying some aggregations from Azure Container Insights on my dashboards and I wanted to use make-series instead of summarize - the latter does not return empty bins so leaves gaps in graphs where you have no data returned in that bin; however, make-series requires explicit start/end times and a grain.

Given the nature of the above, I have access to a large table of data that is constantly updated (ContainerLog), which gives me a way to find a close approximation of the date range (and any inaccuracy is not a problem as I am reporting on the data of this table anyway).

// All tables with Timestamp or TimeGenerated columns are implicitly filtered, so we can retrieve a very close approximation of min and max here
let startDate = toscalar(ContainerLog | summarize min(TimeGenerated));
let endDate   = toscalar(ContainerLog | summarize max(TimeGenerated));

// The regular query sits here, and the above variables can be passed in to make-series
MyLogFunction
| make-series Count=count() default=0 on Timestamp in range(startDate, endDate, 30m) by Severity
| render columnchart with ( legend=hidden )

Underlet answered 21/7, 2022 at 10:3 Comment(1)

instead of startDate and endDate relying on whether you have good data, I used let startDate = ago(2h); let endDate = ago(5m); – Theravada 3/7 at 17:21

Recommended topics

Hot tags