kusto 查询在对其他两列使用 distinct 后显示第三列
kusto query to show the third column after using distinct for two other columns
您好,我正在尝试在下面的 Kusto 查询中显示摄取时间,您能否提供建议
find withsource=source in (cluster(X).database('y*').['TextFileLogs'])
where AttemptedIngestTime > ago(7d)
and FileLineContent contains "<li>Build Number:"
| distinct source , FileLineContent //, AttemptedIngestTime
| extend databaseName = extract(@"""(oci-[^""]*)""", 1, source)
| extend BuildNumber = extract(@"([A-Z]\w*\.[0-9]\d*\.[0-9]\d*\.[0-9]\d*)",1,FileLineContent)
| extend StampVersion = extract(@"([0-9]\d*\.[0-9]\d*\.[0-9]\d*\.[0-9]\d*)",1,FileLineContent)
| extend cluster = X
//| extend IngestedTime = AttemptedIngestTime
| summarize NumberOfRuns=count() by BuildNumber , StampVersion
您可以将 distinct source, FileLineContent 替换为 summarize min(AttemptedIngestTime) by source, FileLineContent
- 或将
min 替换为 max,具体取决于您想要的语义)
然后,您仍然需要决定如何在最终 summarize 中聚合它(作为 min(AttemptedIngestTime),或作为按键分组,例如 startofday(AttemptedIngestTime))
无论如何,您应该考虑以下 query best practices 和:
- 将
contains 的用法替换为 has。
- 将
extract 的用法替换为 parse。
您好,我正在尝试在下面的 Kusto 查询中显示摄取时间,您能否提供建议
find withsource=source in (cluster(X).database('y*').['TextFileLogs'])
where AttemptedIngestTime > ago(7d)
and FileLineContent contains "<li>Build Number:"
| distinct source , FileLineContent //, AttemptedIngestTime
| extend databaseName = extract(@"""(oci-[^""]*)""", 1, source)
| extend BuildNumber = extract(@"([A-Z]\w*\.[0-9]\d*\.[0-9]\d*\.[0-9]\d*)",1,FileLineContent)
| extend StampVersion = extract(@"([0-9]\d*\.[0-9]\d*\.[0-9]\d*\.[0-9]\d*)",1,FileLineContent)
| extend cluster = X
//| extend IngestedTime = AttemptedIngestTime
| summarize NumberOfRuns=count() by BuildNumber , StampVersion
您可以将 distinct source, FileLineContent 替换为 summarize min(AttemptedIngestTime) by source, FileLineContent
- 或将
min替换为max,具体取决于您想要的语义)
然后,您仍然需要决定如何在最终 summarize 中聚合它(作为 min(AttemptedIngestTime),或作为按键分组,例如 startofday(AttemptedIngestTime))
无论如何,您应该考虑以下 query best practices 和:
- 将
contains的用法替换为has。 - 将
extract的用法替换为parse。