-
Notifications
You must be signed in to change notification settings - Fork 35
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
d2ad6a3
commit 2b8374c
Showing
1 changed file
with
21 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,11 +3,11 @@ | |
| -- | ||
| -- Description: | ||
| -- This SQL script retrieves the top 100 most common events from the event logging system, providing | ||
| -- insights into the events that occur most frequently. The query returns the event display number, raw description | ||
| -- of the event, the computer name where the event was logged, and the total number of occurrences of each event. | ||
| -- Additionally, it calculates the span of days over which each event has been logged, helping identify long-running | ||
| -- or persistent issues. This query is designed to assist in identifying patterns or anomalies in event logs, particularly | ||
| -- useful in large-scale environments where understanding event noise and distribution can aid in proactive management and troubleshooting. | ||
| -- insights into the events that occur most frequently. The query returns the event display number, the rendered | ||
| -- description of the event, the computer name where the event was logged, and the total number of occurrences | ||
| -- of each event. Additionally, it calculates the span of days over which each event has been logged, helping | ||
| -- identify long-running or persistent issues. This query is especially useful in large-scale environments | ||
| -- where understanding event noise and distribution can aid in proactive management and troubleshooting. | ||
| -- | ||
| -- Author: Blake Drumm ([email protected]) | ||
| -- Date Created: May 7th, 2024 | ||
|
|
@@ -16,22 +16,27 @@ | |
| ---------------------------------------------------------------------------------------------------------------- | ||
| -- Selects the top 100 records from the result set | ||
| SELECT TOP 100 | ||
| evt.EventDisplayNumber, -- Display number of the event | ||
| evtd.RenderedDescription, -- Raw description of the event | ||
| evtlc.ComputerName, -- Name of the computer logging the event | ||
| COUNT(*) AS TotalEvents, -- Total number of events aggregated by display number, description, and computer name | ||
| evt.EventDisplayNumber, -- Display number of the event | ||
| evtd.RenderedDescription, -- Rendered description of the event | ||
| evtlc.ComputerName, -- Name of the computer logging the event | ||
| COUNT(*) AS TotalEvents, -- Total number of events aggregated by display number, description, and computer name | ||
| DATEDIFF(DAY, MIN(evt.DateTime), MAX(evt.DateTime)) + 1 AS DaysOfData -- Calculates the span of days between the earliest and latest event dates for each group | ||
| FROM | ||
| Event.vEvent AS evt -- From the main events table | ||
| Event.vEvent AS evt -- From the main events table | ||
| INNER JOIN | ||
| Event.vEventDetail AS evtd -- Joined with event details on EventOriginId | ||
| Event.vEventDetail AS evtd -- Joined with event details on EventOriginId | ||
| ON evt.EventOriginId = evtd.EventOriginId | ||
| INNER JOIN | ||
| vEventLoggingComputer AS evtlc -- Joined with the event logging computer table on LoggingComputerRowId | ||
| vEventLoggingComputer AS evtlc -- Joined with the event logging computer table on LoggingComputerRowId | ||
| ON evt.LoggingComputerRowId = evtlc.EventLoggingComputerRowId | ||
| /* | ||
| WHERE | ||
| evt.DateTime > GETUTCDATE() -- Filters to include only events with dates greater than now | ||
| */ | ||
| GROUP BY | ||
| evt.EventDisplayNumber, -- Groups the results by event display number, | ||
| evtd.RenderedDescription, -- raw event description, | ||
| evtlc.ComputerName -- and computer name | ||
| evt.EventDisplayNumber, | ||
| evtd.RenderedDescription, -- Rendered event description | ||
| evtlc.ComputerName -- and computer name | ||
| ORDER BY | ||
| TotalEvents DESC -- Orders the results by the total number of events, in descending order | ||
| DaysOfData DESC, -- Orders the results by the span of days, descending | ||
| TotalEvents DESC -- and then by the total number of events, descending | ||