log analytic workspace workbooks report having error message

Question

Hi all,

i having this issue on a workbook, when i try to run the report, the workbook report throw an error message Query partially succeeded; results may be incomplete or incorrect. i have attach the screenshot. workbooks error message.jpg

Answer 1

This may help, however the query you shared doesnt look like the one in the Workbook error? Anyway taking the query provided, I use Materialize() to cache the data - so its only runs once rather than the 4 times with your let statements.
I only did a few basic tests, but it runs in roughly half the time, I'm not sure it will help, but worth a try against your data set.

let EndDate = startofmonth(now())-1s;
let StartDate = startofmonth(EndDate);
let cache_= 
    // build a cache of the data - query once, use many times if required
    materialize 
    (
        SecurityIncident
        |where CreatedTime between(StartDate .. (EndDate))
        // Gather only the necessary columns
        |summarize arg_max(TimeGenerated, Severity, CreatedTime) by IncidentNumber
    );
// Call the cache to get the Totals
cache_ 
| summarize count_ = count() by Severity="Total"
| as Total_
// Now union the results to get Total and the other Severities 
| union cache_, Total_
// Remove Infomational
| where Severity !='Informational'
| summarize Count=count() by Type=Severity, count_
// Tidy up the count columns 
| extend Count = iif(isempty(count_), Count, count_) 
| project-away count_
// Perform a sort by numbered row 
| extend Row = case (
                     Type=='Total',1,
                     Type=='High',2,
                     Type=='Medium',3,
                     Type=='Low',4,
                     // else
                     0
                    )
|project-reorder Row, Type
|order by Row asc

Answer 2

This can often be down to one of three or four reasons: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/concepts/partial-query-failures

Try to limit or filter the data the query processes. Do you get a different results outside of a Workbook, in the Logs blade?
It looks like you are counting events in many tables over a month, that could be a lot of data process. If you share the query maybe we can help optimise it?

Answer 3

Hi,

this is the queries on the report

let EndDate = startofmonth(now())-1s;

let StartDate = startofmonth(EndDate);

let highnotifyincidents=SecurityIncident

|summarize arg_max(TimeGenerated, *) by IncidentNumber

|where CreatedTime between(StartDate .. (EndDate))

|where tostring(Labels) contains "P_TP:"

|where Severity in ('High')

|summarize Count=count()

|extend Type='2High Severity';

let mednotifyincidents=SecurityIncident

|summarize arg_max(TimeGenerated, *) by IncidentNumber

|where CreatedTime between(StartDate .. (EndDate))

|where tostring(Labels) contains "P_TP:"

|where Severity in ('Medium')

|summarize Count=count()

|extend Type='3Medium Severity';

let lownotifyincidents=SecurityIncident

|summarize arg_max(TimeGenerated, *) by IncidentNumber

|where CreatedTime between(StartDate .. (EndDate))

|where tostring(Labels) contains "P_TP:"

|where Severity in ('Low')

|summarize Count=count()

|extend Type='4Low Severity';

let notifyincidents=SecurityIncident

|summarize arg_max(TimeGenerated, *) by IncidentNumber

|where CreatedTime between(StartDate .. (EndDate))

|where tostring(Labels) contains "P_TP:"

|summarize Count=count()

|extend Type='1Total';

union notifyincidents,highnotifyincidents,mednotifyincidents,lownotifyincidents

|extend Row=substring(Type,0,1)

|extend Type=substring(Type,1)

|project-reorder Row, Type, * desc

|order by Row asc

|render table