如何在同一列上使用标量运算?
How do I use scalar operation on same column?
我无法理解如何根据 Azure Activity 日志正确编写 returnVM 运行 多长时间的查询。
查询以下 returns 虚拟机启动和解除分配时的最新值。所以我需要 return 值,它告诉我机器已经 运行 多长时间或虚拟机被释放时的负值。我该如何正确地做到这一点?
AzureActivity | where TimeGenerated >= ago(30d) and OperationName == "Deallocate Virtual Machine" or OperationName == "Start Virtual Machine" and ActivityStatus == "Succeeded"
| summarize arg_max(EventSubmissionTimestamp, *) by OperationName
假设您有一个 table AzureActivity,其中包含列 OperationName、TimeGenerated、EventSubmissionTimestamp、MachineId、ActivityStatus(我从您的问题中导出列),您可以使用下一个查询:
// Inline data for the purpose of the query demonstration
let AzureActivity = datatable(OperationName:string, TimeGenerated:datetime, EventSubmissionTimestamp:datetime, MachineId:string, ActivityStatus:string)
[
// Machine 1
'Start Virtual Machine', datetime(2019-01-27 00:00), datetime(2019-01-27 00:00), 'Machine1', 'Succeeded',
'Deallocate Virtual Machine', datetime(2019-01-27 00:00), datetime(2019-01-27 01:00), 'Machine1', 'Succeeded',
// Machine 2
'Start Virtual Machine', datetime(2019-01-27 00:00), datetime(2019-01-27 00:00), 'Machine2', 'Succeeded',
];
// Query starts here
let _data = materialize(
AzureActivity
| where TimeGenerated >= ago(30d)
and (OperationName == "Deallocate Virtual Machine" or OperationName == "Start Virtual Machine")
and ActivityStatus == "Succeeded"
| summarize arg_max(EventSubmissionTimestamp, *) by OperationName, MachineId
);
let startEvents = _data | where OperationName == 'Start Virtual Machine' | project StartTime = EventSubmissionTimestamp, MachineId;
let deallocateEvents = _data | where OperationName == 'Deallocate Virtual Machine' | project DeallocateTime = EventSubmissionTimestamp, MachineId;
startEvents | join kind = fullouter (deallocateEvents) on MachineId
| project MachineId, StartTime, DeallocateTime,
UpTime=iif(isnotnull(DeallocateTime),
(DeallocateTime-now()),
(now()-StartTime))
我无法理解如何根据 Azure Activity 日志正确编写 returnVM 运行 多长时间的查询。 查询以下 returns 虚拟机启动和解除分配时的最新值。所以我需要 return 值,它告诉我机器已经 运行 多长时间或虚拟机被释放时的负值。我该如何正确地做到这一点?
AzureActivity | where TimeGenerated >= ago(30d) and OperationName == "Deallocate Virtual Machine" or OperationName == "Start Virtual Machine" and ActivityStatus == "Succeeded"
| summarize arg_max(EventSubmissionTimestamp, *) by OperationName
假设您有一个 table AzureActivity,其中包含列 OperationName、TimeGenerated、EventSubmissionTimestamp、MachineId、ActivityStatus(我从您的问题中导出列),您可以使用下一个查询:
// Inline data for the purpose of the query demonstration
let AzureActivity = datatable(OperationName:string, TimeGenerated:datetime, EventSubmissionTimestamp:datetime, MachineId:string, ActivityStatus:string)
[
// Machine 1
'Start Virtual Machine', datetime(2019-01-27 00:00), datetime(2019-01-27 00:00), 'Machine1', 'Succeeded',
'Deallocate Virtual Machine', datetime(2019-01-27 00:00), datetime(2019-01-27 01:00), 'Machine1', 'Succeeded',
// Machine 2
'Start Virtual Machine', datetime(2019-01-27 00:00), datetime(2019-01-27 00:00), 'Machine2', 'Succeeded',
];
// Query starts here
let _data = materialize(
AzureActivity
| where TimeGenerated >= ago(30d)
and (OperationName == "Deallocate Virtual Machine" or OperationName == "Start Virtual Machine")
and ActivityStatus == "Succeeded"
| summarize arg_max(EventSubmissionTimestamp, *) by OperationName, MachineId
);
let startEvents = _data | where OperationName == 'Start Virtual Machine' | project StartTime = EventSubmissionTimestamp, MachineId;
let deallocateEvents = _data | where OperationName == 'Deallocate Virtual Machine' | project DeallocateTime = EventSubmissionTimestamp, MachineId;
startEvents | join kind = fullouter (deallocateEvents) on MachineId
| project MachineId, StartTime, DeallocateTime,
UpTime=iif(isnotnull(DeallocateTime),
(DeallocateTime-now()),
(now()-StartTime))