Davis DQL examples
powered by Grail
These examples help illustrate how to build powerful and flexible health dashboards by using DQL to slice and dice all Davis reported problems and events.
Basic Davis problem examples
Davis problems represent results that originate from the Davis root-cause analysis runs. Within Grail Davis problems along with their updates are stored as Grail events.
- Example 1
Count the total number of problems in the last 24 hours. - Example 2
Count the current number of active problems. - Example 3
Chart the number of problems in the last 7 days to identify a trend within your environment stability. - Example 4
Identify the top 10 most problem affected entities within your environment. - Example 5
Join entity attributes with detected problems and apply a name filter. - Example 6
Load the last state of a given problem.
Basic Davis event examples
Davis events represent raw events that originate from various anomaly detectors within Dynatrace or within the OneAgent. Examples here are OneAgent detected CPU saturation events or High Garbage Collection Time events.
- Example 7
Chart the number of process restart events in the last 7 days.
Example 1: Count the total number of problems in the last 24 hours.
Count the total number of problems in the last 24 hours.
- Davis detected problems are distinguished by the
event.kind=”DAVIS_PROBLEM”
field. - As Davis problems also include regular refresh events, the summarize DQL command is used to group by unique
event.id
before counting the total number. - The
event.id
holds the unique problem id that is kept stable across all refreshes and updates that Davis reports for the same problem.
fetch events, from:now()-24h, to:now()
| filter event.kind == "DAVIS_PROBLEM"
| summarize {problemCount = countDistinct(event.id)}
Results table
problemCount |
---|
415 |
Example 2: Count the current number of active problems.
- Davis detected problems are distinguished by the
event.kind=”DAVIS_PROBLEM”
field. - As Davis problems also include regular refresh events, the query first sorts all refresh events by their timestamp.
- The result is grouped by the unique
event.id
field that contains the problem id. - The DQL command
takeLast
of the fieldevent.status
receives the last state with the purpose to filter out all those problems that are not in stateACTIVE
anymore.
fetch events
| filter event.kind == "DAVIS_PROBLEM"
| sort timestamp, direction:"ascending"
| summarize {event.status = takeLast(event.status)}, by:{ event.id }
| filter event.status == "ACTIVE"
| summarize {activeEvents = countDistinct(event.id)}
Results table
activeProblems |
---|
15 |
Example 3: Chart the number of problems in the last 7 days to identify a trend within your environment stability.
- Davis detected problems are distinguished by the
event.kind=”DAVIS_PROBLEM”
field. - The count is done in a resolution of 60 minutes bins.
fetch events, from:now()-7d, to:now()
| filter event.kind == "DAVIS_PROBLEM"
| summarize count = count(), by: {`60m interval` = bin(timestamp, 60m)}
Results table
60min interval | count |
---|---|
5/25/2023, 3:00 PM | 46 |
5/25/2023, 4:00 PM | 339 |
5/25/2023, 5:00 PM | 152 |
Example 4: Identify the top 10 most problem affected entities within your environment.
- Davis detected problems are distinguished by the
event.kind=”DAVIS_PROBLEM”
field. - The arrays field containing all affected entity ids is expanded into individual fields.
- Count all unique problems grouped by the affected entity ids.
- Sort by that problem count.
- Return the top 10 entity ids.
fetch events
| filter event.kind == "DAVIS_PROBLEM"
| expand affected_entity_ids
| summarize by:{affected_entity_ids}, count = countDistinct(display_id)
| sort count, direction:"descending"
| limit 10
Results table
affected_entity_ids | count |
---|---|
HOST-A9449CACDE12B2BF | 10 |
SERVICE-5624DD59D74FF453 | 5 |
PROCESS_GROUP_INSTANCE-3184C659684130C7 | 3 |
Example 5: Fetch all problems for a host with name "myhost".
A join with entity attributes is performed with the goal to filter all problems with a given host name.
- Davis detected problems are distinguished by the
event.kind=”DAVIS_PROBLEM”
field. - The arrays field containing all affected entity ids is expanded into individual fields.
- A topology and entity lookup is done on the
affected_entity_ids
field. - The resulting records are enriched with two entity fields that are prefixed with
host.
, namelyhost.id
andhost.name
. - A filter for the host name
myhost
is applied.
fetch events
| filter event.kind == "DAVIS_PROBLEM"
| expand affected_entity_ids
| lookup sourceField:affected_entity_ids, lookupField:id, prefix:"host.", [
fetch dt.entity.host | fields id, name = entity.name
]
| filter host.name == "myhost"
| limit 3
Results table
timestamp | affected_entity_ids | host.id | host.name | display_id |
---|---|---|---|---|
5/31/2023, 1:31:39 PM | HOST-27D70086952122CF | HOST-27D70086952122CF | myhost | P-23054243 |
Example 6: Load the last state of a given problem.
A join with entity attributes is performed with the goal to filter all problems with a given host name.
- Davis detected problems are distinguished by the
event.kind=”DAVIS_PROBLEM”
field. - Filter by the unique display identifier of the problem.
- Sort all problem update events by their timestamp in descending order.
- Return the last one.
fetch events
| filter event.kind == "DAVIS_PROBLEM"
| filter display_id == "P-23053506"
| sort timestamp desc
| limit 1
Results table
timestamp | affected_entity_ids | host.id | host.name | display_id |
---|---|---|---|---|
5/31/2023, 1:31:39 PM | HOST-27D70086952122CF | HOST-27D70086952122CF | myhost | P-23053506 |
Example 7: Chart the number of CPU saturation and high memory events in the last 7 days.
- Davis raw events are distinguished by the
event.kind=”DAVIS_EVENT”
field. - The count is done in a resolution of 60 minutes bins.
fetch events, from:now()-7d, to:now()
| filter event.kind == "DAVIS_EVENT"
| filter event.type == "OSI_HIGH_CPU" or event.type == "OSI_HIGH_MEMORY"
| summarize count = count(), by: {`60m interval` = bin(timestamp, 60m)}
Results table
60min interval | count |
---|---|
5/25/2023, 3:00 PM | 146 |
5/25/2023, 4:00 PM | 312 |
5/25/2023, 5:00 PM | 201 |