Support conversion and formatting functions in the search language
There should be option in the search language to convert metrics. For example If I want to convert Bytes to Gigabytes that should be possible in the search language. Other examples are in converting time to specific format (shorter time format, adding timezone and etc.)
You can do conversions in the search language, for example:
Type=Perf CounterName=“Available Memory MB” | measure avg(div(CounterValue, 1024)) as MemoryGB by Computer
Do we have an ETA on when are we releasing this if its approved?
That is a good start.
Austin McCollum commented
Any consideration of porting the conversion, formatting functions from LogParser 2.2? I use Log Parser Studio heavily, and it would be great to have certain functions like TO_LOWERCASE(), EXTRACT_PREFIX, EXTRACT_TOKEN.
Some examples of data that is difficult to read without these formatting functions:
IIS log "cs-uri-stem" field
I really would love results that just tally results between the first two "/", for example in LogParser I can use the following formatting functions
Select TOP 10 TO_LOWERCASE(EXTRACT_TOKEN( cs-uri-stem ,1, '/' )) AS Path
for results like this:
Then of course, like OMS, Log Parser Studio makes it easy to create a bar chart for visualization.
At this point probably that kind of format changes/math for time are not needed for aggregated results. The count() by TImeGenerated function is limited to certain scenarios and those scenarios can live without such format changes. May be in the future when there are more advanced function that you can do with TimeGenerated it will be needed.
Do you ALSO need to do this type of format changes/math against AGGREGATED results (from Measure) ?
With datetime you have today some form of that with measure count() by TImeGenerated interval 1DAY/6HOURS/whatevevr interval - which allows to somehow 'bucketize' times without trimming them down as strings.
But besides that, supporting the same with other data types might be very expensive initially and we were so far considering it more of a P2, where the P1 would be the support in 'SELECT' that I described in the previous comment.
Let us know your point of view, it is always appreciated!
The suggestion below seems nice and also flexible. May be the Time can follow the same approach like setting offset. Which will add/substract hours/minutes to the time and that way you can viewed as it is in another time zone. I am not sure about what math function can be used to make the time in different format like showing only hours and minutes and not seconds.
There *IS* some limited DateTime MATH, anyhow - but that is to choose the dates to use in filters, i.e.
this part is documented.
In the case of conversion/formatting function, we were thinking they would belong in the 'SELECT' command by introducing a 'AS' option to it (like you can assign a name to 'AggregatedResult' column with 'AS' in a MEASURE command). A bunch of these formatting capabilities are also present in Select-Object in powershell, so it could sound similar (as usual, cannot be identical).
I.e. could be something similar to this -
Type=Event | Select Computer as MachineName
csUriStem="/foo/bar" | select TimeTaken/1000 as Seconds
CounterName="Available MBytes" | Select Average/1024 as Giga
would that work?
Just gathering feedback on whether the current thinking makes sense.