Menu
I need to write a Kusto query for Azure Log Analysis that finds consecutive events that have the same value in a field (same error code). We basically need to find if the requests fail twice in a row. The case where a request fails, one succeeds and one fails is not to be returned.
469
Assuming you have a table with Id, Datetime, and a ErrorCode, you can utilize prev() function to achieve this:
https://learn.microsoft.com/en-us/azure/kusto/query/prevfunction
datatable(Id:string, Datetime:datetime, ErrorCode:string)
[
'1', datetime(2018-10-16 00:00), 'Error 1',
'1', datetime(2018-10-16 00:01), 'Error 1',
'2', datetime(2018-10-16 00:02), 'Error 1',
'2', datetime(2018-10-16 00:03), 'Error 2',
]
| order by Id, Datetime asc
| extend prevErrorCode = prev(ErrorCode), prevId=prev(Id)
| where prevErrorCode==ErrorCode and prevId == Id
answered Sep 19 '25 14:09
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With