How to write a Kusto query to find two consecutive rows that have the same value in a field

Question

I need to write a Kusto query for Azure Log Analysis that finds consecutive events that have the same value in a field (same error code). We basically need to find if the requests fail twice in a row. The case where a request fails, one succeeds and one fails is not to be returned.

score 7 · Accepted Answer · answered Oct 16 '18 at 04:28

Assuming you have a table with Id, Datetime, and a ErrorCode, you can utilize prev() function to achieve this:

https://learn.microsoft.com/en-us/azure/kusto/query/prevfunction

datatable(Id:string, Datetime:datetime, ErrorCode:string)
[
    '1', datetime(2018-10-16 00:00), 'Error 1',
    '1', datetime(2018-10-16 00:01), 'Error 1',
    '2', datetime(2018-10-16 00:02), 'Error 1',
    '2', datetime(2018-10-16 00:03), 'Error 2',
]
| order by Id, Datetime asc 
| extend prevErrorCode = prev(ErrorCode), prevId=prev(Id)
| where prevErrorCode==ErrorCode and prevId  == Id

if i use project and then where again. what does it mean ? – AnonymousScientificUser May 10 '22 at 10:25 — AnonymousScientificUser, May 10 '22 at 10:25

How to write a Kusto query to find two consecutive rows that have the same value in a field

1 Answers1