Currently, I am having a query which returns Union of 3 tables (total 13 rows). All 3 tables have same set of columns.
Current Query
let bytes_to_gb =
(1024 * 1024 * 1024)
;
let tab_cpu =
performanceCounters
| where category == "Processor" and counter == "% Processor Time" and instance == "_Total"
| where ...
| summarize timestamp = max(timestamp), value = avg(value) by host_name = cloud_RoleInstance, host_type = "WXYZ", counter_name = "%CPU", threshold = 90
;
let tab_memory =
performanceCounters
| where category == "Memory" and counter == "Available Bytes"
| where ...
| summarize timestamp = max(timestamp), value = avg(value / bytes_to_gb) by host_name = cloud_RoleInstance, host_type = "ZYXW", counter_name = "Available Memory (GB)", threshold = 10
;
let tab_exceptions =
exceptions
| where ...
| summarize timestamp = max(timestamp), value = (count(itemCount) * 1.0) by host_name = "Exceptions", host_type = "Web", counter_name = "Exception", threshold = 10
| where value >= 10
union
tab_cpu, // 6 rows
tab_memory, // 6 rows
tab_exceptions // 1 row
What I are looking for is - include result of tab_cpu and tab_memory ONLY if tab_exceptions has rows.
This is how I would have done in SQL Query, but not getting proper solution for KQL.
IF EXISTS (SELECT * FROM tab_exceptions WHERE ...)
SELECT * FROM tab_cpu WHERE ...;
UNION
SELECT * FROM tab_memory WHERE ...
UNION
SELECT * FROM tab_exceptions WHERE ...
ELSE
...
