|
3 | 3 | -- |
4 | 4 | -- Description: |
5 | 5 | -- This SQL script retrieves the top 100 most common events from the event logging system, providing |
6 | | --- insights into the events that occur most frequently. The query returns the event display number, raw description |
7 | | --- of the event, the computer name where the event was logged, and the total number of occurrences of each event. |
8 | | --- Additionally, it calculates the span of days over which each event has been logged, helping identify long-running |
9 | | --- or persistent issues. This query is designed to assist in identifying patterns or anomalies in event logs, particularly |
10 | | --- useful in large-scale environments where understanding event noise and distribution can aid in proactive management and troubleshooting. |
| 6 | +-- insights into the events that occur most frequently. The query returns the event display number, the rendered |
| 7 | +-- description of the event, the computer name where the event was logged, and the total number of occurrences |
| 8 | +-- of each event. Additionally, it calculates the span of days over which each event has been logged, helping |
| 9 | +-- identify long-running or persistent issues. This query is especially useful in large-scale environments |
| 10 | +-- where understanding event noise and distribution can aid in proactive management and troubleshooting. |
11 | 11 | -- |
12 | 12 | -- Author: Blake Drumm (blakedrumm@microsoft.com) |
13 | 13 | -- Date Created: May 7th, 2024 |
|
16 | 16 | ---------------------------------------------------------------------------------------------------------------- |
17 | 17 | -- Selects the top 100 records from the result set |
18 | 18 | SELECT TOP 100 |
19 | | - evt.EventDisplayNumber, -- Display number of the event |
20 | | - evtd.RenderedDescription, -- Raw description of the event |
21 | | - evtlc.ComputerName, -- Name of the computer logging the event |
22 | | - COUNT(*) AS TotalEvents, -- Total number of events aggregated by display number, description, and computer name |
| 19 | + evt.EventDisplayNumber, -- Display number of the event |
| 20 | + evtd.RenderedDescription, -- Rendered description of the event |
| 21 | + evtlc.ComputerName, -- Name of the computer logging the event |
| 22 | + COUNT(*) AS TotalEvents, -- Total number of events aggregated by display number, description, and computer name |
23 | 23 | DATEDIFF(DAY, MIN(evt.DateTime), MAX(evt.DateTime)) + 1 AS DaysOfData -- Calculates the span of days between the earliest and latest event dates for each group |
24 | 24 | FROM |
25 | | - Event.vEvent AS evt -- From the main events table |
| 25 | + Event.vEvent AS evt -- From the main events table |
26 | 26 | INNER JOIN |
27 | | - Event.vEventDetail AS evtd -- Joined with event details on EventOriginId |
| 27 | + Event.vEventDetail AS evtd -- Joined with event details on EventOriginId |
28 | 28 | ON evt.EventOriginId = evtd.EventOriginId |
29 | 29 | INNER JOIN |
30 | | - vEventLoggingComputer AS evtlc -- Joined with the event logging computer table on LoggingComputerRowId |
| 30 | + vEventLoggingComputer AS evtlc -- Joined with the event logging computer table on LoggingComputerRowId |
31 | 31 | ON evt.LoggingComputerRowId = evtlc.EventLoggingComputerRowId |
| 32 | +/* |
| 33 | +WHERE |
| 34 | + evt.DateTime > GETUTCDATE() -- Filters to include only events with dates greater than now |
| 35 | +*/ |
32 | 36 | GROUP BY |
33 | | - evt.EventDisplayNumber, -- Groups the results by event display number, |
34 | | - evtd.RenderedDescription, -- raw event description, |
35 | | - evtlc.ComputerName -- and computer name |
| 37 | + evt.EventDisplayNumber, |
| 38 | + evtd.RenderedDescription, -- Rendered event description |
| 39 | + evtlc.ComputerName -- and computer name |
36 | 40 | ORDER BY |
37 | | - TotalEvents DESC -- Orders the results by the total number of events, in descending order |
| 41 | + DaysOfData DESC, -- Orders the results by the span of days, descending |
| 42 | + TotalEvents DESC -- and then by the total number of events, descending |
0 commit comments