FACET not returning correct count

I am logging 4 different types of unique strings:

  • createOpsVehicle_FailedState
  • createOpsListing_FailedState
  • requestEnrollment_FailedState
  • updateOwnerReservation_FailedState
    And I cause 3 createOpsVehicle_FailedState and 1 createOpsListing_FailedState errors but my query only returns createOpsListing_FailedState.
    “SELECT count(*) FROM Log WHERE message LIKE ‘%_FailedState’ AND apmApplicationNames LIKE ‘%my_host_name%’ FACET message TIMESERIES”
    Can someone tell me why the query is not returning the correct result?

Hi, @ray.kahn1: By default, NRQL looks at events for the past 60 minutes. Did you create all 4 events within an hour of when you ran the query? You may increase the time window by adding a SINCE clause.

Also, FACET queries return 10 results by default. You may use a LIMIT clause to change the number of results returned.

Thanks for your response @philweber.
It doesn’t matter whether I change it to “SINCE 1 week”
SELECT count(*) FROM Log WHERE message LIKE ‘%_FailedState’ AND apmApplicationNames LIKE ‘%preprod-consumer-owner-host%’ FACET message TIMESERIES SINCE last week
It always returns 1 as a count.
If I wanted to change this to a tabular format instead of a graph how is it done?

It looks like WHERE apmApplicationNames is filtering them out:

If I wanted to change this to a tabular format instead of a graph how is it done?

Remove TIMESERIES

Phil,
I need apmApplicationNames to separate between the different envs that we have. The tabular format is great but the count is still off for some reason.

You will have to look at your data and figure out why your WHERE clause is filtering out log messages.

Thank you! You have been more than helpful!