Condividi tramite


Operations Management Suite Log Search How To: Part IX – the DISTINCT command

A nifty little addition to our language has been recently pushed out: the DISTINCT command.

Now, before I continue, if you have just stumbled here but have no previous experience with the search syntax, notice that this is the ninth installment of a Series that walks thru the concepts of Operations Management Suite (formerly Microsoft Azure Operational Insights) Search Syntax – while the full documentation and syntax reference is here, these posts are meant to guide your first steps with practical examples. I’ll start very simple, and build upon each example, so you can get an understanding of practical use cases for how to use the syntax to extract the insights you need from the data.

In my first post I introduced filtering, querying by keyword or by a field’s exact value match, and some Boolean operators.

In the second post I built upon the concepts of the first one, and introduced some more complex flavors of filters that are possible. Now you should know all you need to extract the data set you need.

In the third post I introduced the use of the pipeline symbol “|” and how to shape your results with search commands.

In the fourth post I introduced our most powerful command – measure �� and used it with just the simplest of the statistical functions: count() .

In the fifth post I expanded on the measure command and showed the Max() statistical function.

In the sixth post I continued with measure’s statistical functions – I showed how Avg() is useful with Performance data among other things.

In the seventh post I continued with another of measure’s statistical functions – Sum() – and introduced the where command.

In the eight post I introduced the sub-searches feature that is accessed with the IN operator.

 

Today I want to introduce you to DISTINCT. As the name hopefully suggests, this command provides the list of distinct values for a field. Sure, the same could be achieved with measure count() command as well:

 

Type=Event | Measure count() by Computer

Type=Event | Measure count() by Computer

 

But if all you are interested in is the just LIST of distinct values and not the count of documents that have that value, then DISTINCT makes for a cleaner/more readable output and shorter syntax

Type=Event | Distinct Computer

Type=Event | distinct Computer

 

This is particularly useful in sub-searches – where all you want is really a distinct list of ‘something’ to pass in as filter value for an outer search. [Note – if you are confused about this last statement, read the previous post https://blogs.msdn.com/b/dmuscett/archive/2015/05/30/operations-management-suite-log-search-how-to-part-viii-the-in-operator-and-subsearches.aspx ]

Happy searching!