KUSTO: Threshold line in multiple split query

Question

I want to show a threshold for a specific value in a KUSTO query. I seems simple but doesn't work, I think, when your query is using multiple 'by' clauses in a summarize.

This works, the line is shown at 4500:

customEvents
 | where name == "Event sharepoint monitoring script" 
 | where timestamp >= ago(14d)
 | extend spRequestDuration = customDimensions.["spRequestDuration"]    
 | summarize avgRequestDuration=avg(todouble(spRequestDuration)), threshold = 4500 by bin(timestamp, 5m) // use a time grain of 5 minutes
 | render timechart  

But for below query, no additional threshold line is shown.

customEvents
 | where name == "Event sharepoint monitoring script" 
 | where timestamp >= ago(14d)
 | extend spRequestDuration = customDimensions.["spRequestDuration"]  
 | extend siteType = customDimensions.["SiteType"] 
 | summarize avgRequestDuration=avg(todouble(spRequestDuration)), threshold = 4500 by tostring(siteType), bin(timestamp, 5m) // use a time grain of 5 minutes
 | render timechart  

Should I do it in a different way, or is this not supported?

Answer 1

You need to create the "threshold" as a single additional "siteType" series, one way to do it is by having a union with another data set that contains just the "threshold" as a site of its own. here is an example:

let events = customEvents
 | where name == "Event sharepoint monitoring script" 
 | where timestamp >= ago(14d)
 | extend spRequestDuration = customDimensions.["spRequestDuration"]
 | extend siteType = customDimensions.["SiteType"];
 events
 | summarize avgRequestDuration=avg(todouble(spRequestDuration)) by tostring(siteType), bin(timestamp, 5m) // use a time grain of 5 minutes
 | union (events | summarize by bin(timestamp, 5m), siteType="Threshold" | extend avgRequestDuration = 4500.0)
 | render timechart