库斯托语。仅当前一个时间值不相同时才获取一个值
Kusto language. Get one value only if the previous value in time is not the same
我非常模糊的标题的上下文:我有 4 个虚拟机将它们的日志发送到 application insights。
我检索日志并使用 kusto 语言将其转换为 table。
Table 结果
Query:
AzureActivity
| where ResourceProvider == "Microsoft.Compute" and ActivityStatus == "Succeeded" and OperationName == "Deallocate Virtual Machine"
| project DeallocateResource=Resource ,DeallocatedDate=format_datetime(EventSubmissionTimestamp, 'yyyy-MM-dd') ,DeallocatedTime=format_datetime(EventSubmissionTimestamp, 'HH:mm:ss')
| join kind=fullouter
(
AzureActivity
| where ResourceProvider == "Microsoft.Compute" and ActivityStatus == "Succeeded" and OperationName == "Start Virtual Machine"
| project StartupResource=Resource ,StartDate=format_datetime(EventSubmissionTimestamp, 'yyyy-MM-dd') ,StartTime=format_datetime(EventSubmissionTimestamp, 'HH:mm:ss')
)
on $right.StartupResource == $left.DeallocateResource
| where StartDate == DeallocatedDate
| project Resource=coalesce(StartupResource, DeallocateResource) ,
Date=format_datetime(todatetime(coalesce(StartDate, DeallocatedDate)), 'dd/MM/yyyy' )
, StartTime= StartTime ,StopTime=DeallocatedTime ,
Runtime_Hours = format_datetime(datetime_add('minute',datetime_diff('minute', todatetime(strcat(StartDate , " " , DeallocatedTime )) , todatetime(strcat(StartDate , " " , StartTime ))), make_datetime(2017,1,1)), 'hh:mm')
| sort by Date asc , Resource asc
如您所见,当 VM 在 8:15 启动并在 8:58 停止并且具有 运行 次 [=34] 时,运行时间不正确=]小时然后有问题。在 VM 的 activity 日志中,我看到一些同事对 VM 做了一些奇怪的事情。并启动了几次(他再次启动后一分钟,当您同时单击两次开始按钮时可能出现故障)。
Activity 日志
我确实找到了解决问题的理论方法:
我的查询需要更改,以便仅当 VM 启动并随后停止时,运行 时间甚至开始和停止时间都需要记录在时间 table 中。但是 atm 我得到了所有 "Start Virtual Machines" 和所有 "Stop Virtual Machines" 并且只是在 table 中订购它们,这导致我的结果混淆 table.
但我似乎无法在我的查询中找到调整它的方法。说Get the start virtual machine only when it's the first of the day (when the previous is not start virtual machine) or the previous log is "deallocate virtual machine" 因为这不是按顺序start-stop。一天中的时间需要在公式中。
仅当前一个是启动虚拟机时才获取释放虚拟机。
并计算每个 运行 的 运行 时间,而不是每天。
因为我是 SQL 和 kusto 的新手,所以我不是来找人给我解决方案或为我做工作的。
我希望是否有人可以帮助我或指导我朝着正确的方向找到解决问题的方法。
提前致谢!!!
请检查以下方法是否能让您更接近您的需要。
datatable(Resource:string, Event:string, EventTime:datetime)
[
'Machine1', 'Start', datetime(2019-04-12 00:00),
'Machine1', 'Stop', datetime(2019-04-12 01:00),
'Machine1', 'Start', datetime(2019-04-12 01:30),
'Machine1', 'Start', datetime(2019-04-12 01:45),
'Machine1', 'Stop', datetime(2019-04-12 11:45),
// Machine2
'Machine2', 'Start', datetime(2019-04-12 00:00),
'Machine2', 'Stop', datetime(2019-04-12 01:00),
'Machine2', 'Stop', datetime(2019-04-12 01:20),
'Machine2', 'Start', datetime(2019-04-12 01:30),
'Machine2', 'Stop', datetime(2019-04-12 11:45),
]
| order by Resource asc, EventTime asc
| extend IsSameResource = (prev(Resource) == Resource)
| extend PrevState = iif(IsSameResource, prev(Event), Event), CurrentState = Event
| extend RunTime = iif(PrevState == 'Start' and CurrentState == 'Stop', EventTime - prev(EventTime), time(null)),
StartTime = prev(EventTime)
| where isnotnull(RunTime)
| project Resource, StartTime, EndTime = EventTime, RunTime
[编辑]
相同的方法 - 但使用问题中提供的列:
let AzureActivity = datatable(ResourceProvider:string, Resource:string, ActivityStatus:string, OperationName:string, EventSubmissionTimestamp:datetime)
[
"Microsoft.Compute", 'Machine1', "Succeeded", 'Start Virtual Machine', datetime(2019-04-12 00:00),
"Microsoft.Compute", 'Machine1', "Succeeded", 'Deallocate Virtual Machine', datetime(2019-04-12 01:00),
"Microsoft.Compute", 'Machine1', "Succeeded", 'Start Virtual Machine', datetime(2019-04-12 01:30),
"Microsoft.Compute", 'Machine1', "Succeeded", 'Start Virtual Machine', datetime(2019-04-12 01:45),
"Microsoft.Compute", 'Machine1', "Succeeded", 'Deallocate Virtual Machine', datetime(2019-04-12 11:45),
// Machine2
"Microsoft.Compute", 'Machine2', "Succeeded", 'Start Virtual Machine', datetime(2019-04-12 00:00),
"Microsoft.Compute", 'Machine2', "Succeeded", 'Deallocate Virtual Machine', datetime(2019-04-12 01:00),
"Microsoft.Compute", 'Machine2', "Succeeded", 'Deallocate Virtual Machine', datetime(2019-04-12 01:20),
"Microsoft.Compute", 'Machine2', "Succeeded", 'Start Virtual Machine', datetime(2019-04-12 01:30),
"Microsoft.Compute", 'Machine2', "Succeeded", 'Deallocate Virtual Machine', datetime(2019-04-12 11:45),
];
AzureActivity
| where ResourceProvider == "Microsoft.Compute"
| where OperationName in ('Deallocate Virtual Machine','Start Virtual Machine')
| where ActivityStatus == 'Succeeded'
| order by Resource asc, EventSubmissionTimestamp asc
| extend IsSameResource = (prev(Resource) == Resource)
| extend PrevState = iif(IsSameResource, prev(OperationName), OperationName), CurrentState = OperationName
| extend RunTime = iif(PrevState == 'Start Virtual Machine' and CurrentState == 'Deallocate Virtual Machine', EventSubmissionTimestamp - prev(EventSubmissionTimestamp), time(null)),
StartTime = prev(EventSubmissionTimestamp)
| where isnotnull(RunTime)
| project Resource, StartTime, EndTime = EventSubmissionTimestamp, RunTime
我非常模糊的标题的上下文:我有 4 个虚拟机将它们的日志发送到 application insights。 我检索日志并使用 kusto 语言将其转换为 table。
Table 结果
Query:
AzureActivity
| where ResourceProvider == "Microsoft.Compute" and ActivityStatus == "Succeeded" and OperationName == "Deallocate Virtual Machine"
| project DeallocateResource=Resource ,DeallocatedDate=format_datetime(EventSubmissionTimestamp, 'yyyy-MM-dd') ,DeallocatedTime=format_datetime(EventSubmissionTimestamp, 'HH:mm:ss')
| join kind=fullouter
(
AzureActivity
| where ResourceProvider == "Microsoft.Compute" and ActivityStatus == "Succeeded" and OperationName == "Start Virtual Machine"
| project StartupResource=Resource ,StartDate=format_datetime(EventSubmissionTimestamp, 'yyyy-MM-dd') ,StartTime=format_datetime(EventSubmissionTimestamp, 'HH:mm:ss')
)
on $right.StartupResource == $left.DeallocateResource
| where StartDate == DeallocatedDate
| project Resource=coalesce(StartupResource, DeallocateResource) ,
Date=format_datetime(todatetime(coalesce(StartDate, DeallocatedDate)), 'dd/MM/yyyy' )
, StartTime= StartTime ,StopTime=DeallocatedTime ,
Runtime_Hours = format_datetime(datetime_add('minute',datetime_diff('minute', todatetime(strcat(StartDate , " " , DeallocatedTime )) , todatetime(strcat(StartDate , " " , StartTime ))), make_datetime(2017,1,1)), 'hh:mm')
| sort by Date asc , Resource asc
如您所见,当 VM 在 8:15 启动并在 8:58 停止并且具有 运行 次 [=34] 时,运行时间不正确=]小时然后有问题。在 VM 的 activity 日志中,我看到一些同事对 VM 做了一些奇怪的事情。并启动了几次(他再次启动后一分钟,当您同时单击两次开始按钮时可能出现故障)。
Activity 日志
我确实找到了解决问题的理论方法: 我的查询需要更改,以便仅当 VM 启动并随后停止时,运行 时间甚至开始和停止时间都需要记录在时间 table 中。但是 atm 我得到了所有 "Start Virtual Machines" 和所有 "Stop Virtual Machines" 并且只是在 table 中订购它们,这导致我的结果混淆 table.
但我似乎无法在我的查询中找到调整它的方法。说Get the start virtual machine only when it's the first of the day (when the previous is not start virtual machine) or the previous log is "deallocate virtual machine" 因为这不是按顺序start-stop。一天中的时间需要在公式中。 仅当前一个是启动虚拟机时才获取释放虚拟机。 并计算每个 运行 的 运行 时间,而不是每天。
因为我是 SQL 和 kusto 的新手,所以我不是来找人给我解决方案或为我做工作的。 我希望是否有人可以帮助我或指导我朝着正确的方向找到解决问题的方法。
提前致谢!!!
请检查以下方法是否能让您更接近您的需要。
datatable(Resource:string, Event:string, EventTime:datetime)
[
'Machine1', 'Start', datetime(2019-04-12 00:00),
'Machine1', 'Stop', datetime(2019-04-12 01:00),
'Machine1', 'Start', datetime(2019-04-12 01:30),
'Machine1', 'Start', datetime(2019-04-12 01:45),
'Machine1', 'Stop', datetime(2019-04-12 11:45),
// Machine2
'Machine2', 'Start', datetime(2019-04-12 00:00),
'Machine2', 'Stop', datetime(2019-04-12 01:00),
'Machine2', 'Stop', datetime(2019-04-12 01:20),
'Machine2', 'Start', datetime(2019-04-12 01:30),
'Machine2', 'Stop', datetime(2019-04-12 11:45),
]
| order by Resource asc, EventTime asc
| extend IsSameResource = (prev(Resource) == Resource)
| extend PrevState = iif(IsSameResource, prev(Event), Event), CurrentState = Event
| extend RunTime = iif(PrevState == 'Start' and CurrentState == 'Stop', EventTime - prev(EventTime), time(null)),
StartTime = prev(EventTime)
| where isnotnull(RunTime)
| project Resource, StartTime, EndTime = EventTime, RunTime
[编辑]
相同的方法 - 但使用问题中提供的列:
let AzureActivity = datatable(ResourceProvider:string, Resource:string, ActivityStatus:string, OperationName:string, EventSubmissionTimestamp:datetime)
[
"Microsoft.Compute", 'Machine1', "Succeeded", 'Start Virtual Machine', datetime(2019-04-12 00:00),
"Microsoft.Compute", 'Machine1', "Succeeded", 'Deallocate Virtual Machine', datetime(2019-04-12 01:00),
"Microsoft.Compute", 'Machine1', "Succeeded", 'Start Virtual Machine', datetime(2019-04-12 01:30),
"Microsoft.Compute", 'Machine1', "Succeeded", 'Start Virtual Machine', datetime(2019-04-12 01:45),
"Microsoft.Compute", 'Machine1', "Succeeded", 'Deallocate Virtual Machine', datetime(2019-04-12 11:45),
// Machine2
"Microsoft.Compute", 'Machine2', "Succeeded", 'Start Virtual Machine', datetime(2019-04-12 00:00),
"Microsoft.Compute", 'Machine2', "Succeeded", 'Deallocate Virtual Machine', datetime(2019-04-12 01:00),
"Microsoft.Compute", 'Machine2', "Succeeded", 'Deallocate Virtual Machine', datetime(2019-04-12 01:20),
"Microsoft.Compute", 'Machine2', "Succeeded", 'Start Virtual Machine', datetime(2019-04-12 01:30),
"Microsoft.Compute", 'Machine2', "Succeeded", 'Deallocate Virtual Machine', datetime(2019-04-12 11:45),
];
AzureActivity
| where ResourceProvider == "Microsoft.Compute"
| where OperationName in ('Deallocate Virtual Machine','Start Virtual Machine')
| where ActivityStatus == 'Succeeded'
| order by Resource asc, EventSubmissionTimestamp asc
| extend IsSameResource = (prev(Resource) == Resource)
| extend PrevState = iif(IsSameResource, prev(OperationName), OperationName), CurrentState = OperationName
| extend RunTime = iif(PrevState == 'Start Virtual Machine' and CurrentState == 'Deallocate Virtual Machine', EventSubmissionTimestamp - prev(EventSubmissionTimestamp), time(null)),
StartTime = prev(EventSubmissionTimestamp)
| where isnotnull(RunTime)
| project Resource, StartTime, EndTime = EventSubmissionTimestamp, RunTime