3

I am using make-series to create an error dashboard showing events over a given period at a specified interval like so:

make-series dcount(id) default=0 on timestamp from ago(30d) to now() step 8h

This works great, and displays the data as expected. However this specifies an exact date range (30 days ago to now), and I would like to make this use the time range picked by the user on the dashboard (24 hours, 48 hours, etc.).

I know it is possible to get this behavior using summarize, however summarize does not easily allow for setting a default value of zero per timestamp bin (as far as I know).

Is it possible to use the make-series operator without defining a hardcoded date range, and instead use the time range set for a dashboard?

Matt Dalzell
  • 775
  • 3
  • 14

2 Answers2

7

Unfortunately, it is impossible as of now.

You can take a look at this user feedback and upvote for it: Retrieve the portal time span and use it inside the kusto query.

Ivan Glasenberg
  • 29,865
  • 2
  • 44
  • 60
  • Thanks for the link, I added a few upvotes. Very surprised that this is not possible already – Matt Dalzell Sep 10 '19 at 14:15
  • I would LOVE this functionality. Would be so useful for alert rule queries where the date range is defined outside the query. Would love to see functions like `queryFrom` and `queryTo`. – Tom Troughton Sep 12 '19 at 13:00
  • The user feedback link is broken now, here's the correct link: https://feedback.azure.com/d365community/idea/1d2fb0cb-1e25-ec11-b6e6-000d3a4f09d0 186 votes now. – emilast Apr 05 '22 at 14:04
  • @emilast unfortunately I can't access to that link either :( +1 for geting this feature, this will allow you to improve so much the data displayed and matching ranges for every chart – Ivan Coleto Mar 16 '23 at 10:35
  • Updated link here and it is marked as completed. However doesn't work for me https://feedback.azure.com/d365community/idea/1b2e4ce0-aa25-ed11-9db1-000d3a4d91bc – Gopal Krishnan Aug 11 '23 at 15:25
0

Whilst this is not officially supported (i.e. there is no variable you can use to retrieve the values), you can work around this with a bit of a hack.

For context, I am displaying some aggregations from Azure Container Insights on my dashboards and I wanted to use make-series instead of summarize - the latter does not return empty bins so leaves gaps in graphs where you have no data returned in that bin; however, make-series requires explicit start/end times and a grain.

Given the nature of the above, I have access to a large table of data that is constantly updated (ContainerLog), which gives me a way to find a close approximation of the date range (and any inaccuracy is not a problem as I am reporting on the data of this table anyway).

// All tables with Timestamp or TimeGenerated columns are implicitly filtered, so we can retrieve a very close approximation of min and max here
let startDate = toscalar(ContainerLog | summarize min(TimeGenerated));
let endDate   = toscalar(ContainerLog | summarize max(TimeGenerated));

// The regular query sits here, and the above variables can be passed in to make-series
MyLogFunction
| make-series Count=count() default=0 on Timestamp in range(startDate, endDate, 30m) by Severity
| render columnchart with ( legend=hidden )
James
  • 1,028
  • 9
  • 20