Davis DQL examples

These examples illustrate how to build powerful and flexible health dashboards by using DQL to slice and dice all Davis reported problems and events.

Davis problems represent results that originate from the Davis root-cause analysis runs. In Grail, Davis problems and their updates are stored as Grail events.

Davis events represent raw events that originate from various anomaly detectors within Dynatrace or within the OneAgent. Examples here are OneAgent-detected CPU saturation events or high garbage collection time events.

Count the total number of problems in the last 24 hours

fetch dt.davis.problems, from:now()-24h, to:now()
| summarize {problemCount = countDistinct(event.id)}

Query result

Count the current number of active problems

fetch dt.davis.problems
| filter event.status == "ACTIVE"
| summarize {activeEvents = countDistinct(event.id)}

Query result

Chart the number of problems in the last 7 days to identify a trend within your environment stability

fetch dt.davis.problems, from:now()-7d
| makeTimeseries count(), time:{timestamp}

Query result

Identify the top 10 problem-affected entities within your environment

fetch dt.davis.problems
| expand affected_entity_ids
| summarize by:{affected_entity_ids}, count = countDistinct(display_id)
| sort count, direction:"descending"
| limit 10

Query result

Fetch all problems for a host with the name "myhost"

A join with entity attributes is performed with the goal to filter all problems with a given host name.

fetch dt.davis.problems
| expand affected_entity_ids
| lookup sourceField:affected_entity_ids, lookupField:id, prefix:"host.", [
fetch dt.entity.host | fields id, name = entity.name
]
| filter host.name == "myhost"
| limit 3

Query result

Load the last state of a given problem

A join with entity attributes is performed with the goal to filter all problems with a given host name.

fetch dt.davis.problems
| filter display_id == "P-24051200"

Query result

Load all active problems and exclude all those that are marked as duplicates

Fetch all active problems that were not marked as duplicates. Because the duplicate flag appears during the lifecycle of a problem, the update events need to be sorted by timestamp and then summarized by taking the last state of the duplicate and status fields. Only after sorting them by timestamp is it possible to correctly apply the filter.

fetch dt.davis.problems
| filter event.status == "ACTIVE" and not dt.davis.is_duplicate == "true"

Query result

Calculate the mean time to resolve for problems over time

This example shows how to calculate the mean time necessary to resolve all the reported problems by summarizing the delta between start and end of each problem over time.

fetch dt.davis.problems, from:now()-7d
| filter event.status == "CLOSED"
| filter dt.davis.is_frequent_event == false and dt.davis.is_duplicate == false and maintenance.is_under_maintenance == false
| makeTimeseries `AVG Problem duration in hours` = avg(toLong(resolved_problem_duration)/3600000000000.0), time:event.end

Show a chart of the concurrently open problems over time

This example shows how to query data for a chart of the concurrently open problems over time by filling all the resolution gaps with the spread command.

fetch dt.davis.problems
| makeTimeseries count = count(), spread: timeframe(from: event.start, to: coalesce(event.end, now()))

Chart the number of CPU saturation and high-memory events in the last 7 days

fetch dt.davis.events, from:now()-7d, to:now()
| filter event.kind == "DAVIS_EVENT"
| filter event.type == "OSI_HIGH_CPU" or event.type == "OSI_HIGH_MEMORY"
| summarize count = count(), by: {`60m interval` = bin(timestamp, 60m)}

Query result