Kusto 查询:根据时间检索最近的 2 次运行并进行汇总
Kusto Query : Retrieve latest 2 runs based on the time and summarize
我是 kusto 的新手,我正在尝试检索最后 2 个 运行 数据并总结错误计数。
请参考下面的代码片段,
供参考,下面是 table 查询,
let Temptable=datatable(RunId:string,Message:string,AppName:string,timestamp:datetime) [ "1", "start", "App1", '2020-02-27T04:30:01.6062658Z', "1", "end", "App1", '2020-02-27T04:31:01.6062658Z', "2", "start", "App1", '2020-02-27T04:00:01.6062658Z', "2", "end", "App1", '2020-02-27T04:01:01.6062658Z', "3", "start", "App1", '2020-02-27T03:30:01.6062658Z', "3", "end", "App1", '2020-02-27T03:31:01.6062658Z', "4", "start", "App1", '2020-02-27T03:00:01.6062658Z', "4", "end", "App1", '2020-02-27T03:01:01.6062658Z', "5", "start", "App1", '2020-02-27T02:30:01.6062658Z', "5", "end", "App1", '2020-02-27T02:31:01.6062658Z', "6", "start", "App2", '2020-02-27T04:00:01.6062658Z', "6", "end", "App2", '2020-02-27T04:01:01.6062658Z', "7", "start", "App2", '2020-02-27T03:00:01.6062658Z', "7", "end", "App2", '2020-02-27T03:01:01.6062658Z', "8", "start", "App2", '2020-02-27T02:00:01.6062658Z', "8", "end", "App2", '2020-02-27T02:01:01.6062658Z', "9", "start", "App3", '2020-02-27T01:00:01.6062658Z', "9", "end", "App3", '2020-02-27T01:01:01.6062658Z', "10", "start", "App4", '2020-02-27T00:30:01.6062658Z', "10", "end", "App4", '2020-02-27T00:32:01.6062658Z', "11", "start", "App4", '2020-02-27T00:15:01.6062658Z', "11", "end", "App4", '2020-02-27T00:16:01.6062658Z' ];
let Errortable=datatable(RunId:string,Error:string,AppName:string) [ "1", "Error1", "App1", "1", "Error2", "App1", "1", "Error3", "App1", "2", "Error1", "App1", "2", "Error4", "App1", "3", "Error1", "App1", "3", "Error2", "App1", "3", "Error3", "App1", "3", "Error4", "App1", "4", "Error1", "App1", "5", "Error1", "App2", "5", "Error2", "App2", "6", "Error1", "App2", "6", "Error2", "App2", "7", "Error1", "App2", "8", "Error1", "App2", "9", "Error1", "App3", "9", "Error2", "App3", "11", "Error1", "App4", "11", "Error1", "App4" ];
下面是我试过的,
let FactTable = Temptable
| where Message == "start"
| summarize by AppName
| project AppName;
let LatestRun = FactTable
| join kind = inner (Temptable | where timestamp < ago(6h) and Message == "start") on AppName
| summarize arg_max(timestamp,*) by AppName
| project AppName,RunId;
LatestRun
| join kind = leftouter (Errortable) on AppName,RunId
| summarize Count_Error = count(Error) by AppName,CurrentRunId = RunId
如果我总结结果,对于 "App4",计数被检索为 1,这是错误的。
我怎样才能做到这一点?我还需要显示当前 运行 和之前的 运行,如上面的代码片段所示。
有人可以给出一些破解方法吗?
编辑 2:我找到了答案,但我不确定这是不是好方法。
let FactTable = Temptable
| where Message == "start"
| summarize by AppName
| project AppName;
let LatestRun = FactTable
| join kind = inner (Temptable | where timestamp < ago(6h) and Message == "start") on AppName
| summarize arg_max(timestamp,*) by AppName
| project AppName,RunId;
let PreviousRun = FactTable
| join kind = inner (Temptable | where timestamp < ago(6h) and Message == "start") on AppName
| join kind= inner ( LatestRun) on AppName
| where RunId != RunId1
| summarize arg_max(timestamp,*) by AppName
| project AppName,RunId;
let CurrResult = FactTable
| join kind = leftouter (LatestRun) on AppName
| join kind = leftouter (Errortable) on AppName,RunId
| summarize Curr_ErrorCount = count(isnotempty(Error)) by AppName,RunId
| project AppName,Curr_RunId = RunId,Curr_ErrorCount;
let PrevResult = FactTable
| join kind = leftouter (PreviousRun) on AppName
| join kind = leftouter (Errortable) on AppName,RunId
| summarize Prev_ErrorCount = count(isnotempty(Error)) by AppName,RunId
| project AppName,Prev_RunId = RunId,Prev_ErrorCount;
LatestRun
| join kind = leftouter (CurrResult) on AppName
| join kind = leftouter (PrevResult) on AppName
| project AppName, Curr_RunId, Curr_ErrorCount, Prev_RunId,Prev_ErrorCount
| order by AppName asc
有没有更好的方法来实现这个目标?
据我所知,您的 "Edit 2" KQ 非常完美。
您也可以尝试以下方法,使用 top-nested:
let runs = Temptable
| where Message == "start"
| top-nested of AppName by min(1), top-nested 2 of RunId by timestamp=min(timestamp) desc;
runs
| join kind=leftouter Errortable on RunId
| summarize CountErrors=countif(isnotempty(Error)), timestamp = max(timestamp) by AppName, RunId
| order by AppName asc, timestamp desc
| extend P = pack_all()
| summarize runs = make_list(P) by AppName
| project AppName = runs[0].AppName, Cur_RunId = runs[0].RunId, Cur_ErrorCount = runs[0].CountErrors, Prev_RunId = runs[1].RunId, Prev_ErrorCount = runs[1].CountErrors
我是 kusto 的新手,我正在尝试检索最后 2 个 运行 数据并总结错误计数。
请参考下面的代码片段,
供参考,下面是 table 查询,
let Temptable=datatable(RunId:string,Message:string,AppName:string,timestamp:datetime) [ "1", "start", "App1", '2020-02-27T04:30:01.6062658Z', "1", "end", "App1", '2020-02-27T04:31:01.6062658Z', "2", "start", "App1", '2020-02-27T04:00:01.6062658Z', "2", "end", "App1", '2020-02-27T04:01:01.6062658Z', "3", "start", "App1", '2020-02-27T03:30:01.6062658Z', "3", "end", "App1", '2020-02-27T03:31:01.6062658Z', "4", "start", "App1", '2020-02-27T03:00:01.6062658Z', "4", "end", "App1", '2020-02-27T03:01:01.6062658Z', "5", "start", "App1", '2020-02-27T02:30:01.6062658Z', "5", "end", "App1", '2020-02-27T02:31:01.6062658Z', "6", "start", "App2", '2020-02-27T04:00:01.6062658Z', "6", "end", "App2", '2020-02-27T04:01:01.6062658Z', "7", "start", "App2", '2020-02-27T03:00:01.6062658Z', "7", "end", "App2", '2020-02-27T03:01:01.6062658Z', "8", "start", "App2", '2020-02-27T02:00:01.6062658Z', "8", "end", "App2", '2020-02-27T02:01:01.6062658Z', "9", "start", "App3", '2020-02-27T01:00:01.6062658Z', "9", "end", "App3", '2020-02-27T01:01:01.6062658Z', "10", "start", "App4", '2020-02-27T00:30:01.6062658Z', "10", "end", "App4", '2020-02-27T00:32:01.6062658Z', "11", "start", "App4", '2020-02-27T00:15:01.6062658Z', "11", "end", "App4", '2020-02-27T00:16:01.6062658Z' ];
let Errortable=datatable(RunId:string,Error:string,AppName:string) [ "1", "Error1", "App1", "1", "Error2", "App1", "1", "Error3", "App1", "2", "Error1", "App1", "2", "Error4", "App1", "3", "Error1", "App1", "3", "Error2", "App1", "3", "Error3", "App1", "3", "Error4", "App1", "4", "Error1", "App1", "5", "Error1", "App2", "5", "Error2", "App2", "6", "Error1", "App2", "6", "Error2", "App2", "7", "Error1", "App2", "8", "Error1", "App2", "9", "Error1", "App3", "9", "Error2", "App3", "11", "Error1", "App4", "11", "Error1", "App4" ];
下面是我试过的,
let FactTable = Temptable
| where Message == "start"
| summarize by AppName
| project AppName;
let LatestRun = FactTable
| join kind = inner (Temptable | where timestamp < ago(6h) and Message == "start") on AppName
| summarize arg_max(timestamp,*) by AppName
| project AppName,RunId;
LatestRun
| join kind = leftouter (Errortable) on AppName,RunId
| summarize Count_Error = count(Error) by AppName,CurrentRunId = RunId
如果我总结结果,对于 "App4",计数被检索为 1,这是错误的。
我怎样才能做到这一点?我还需要显示当前 运行 和之前的 运行,如上面的代码片段所示。
有人可以给出一些破解方法吗?
编辑 2:我找到了答案,但我不确定这是不是好方法。
let FactTable = Temptable
| where Message == "start"
| summarize by AppName
| project AppName;
let LatestRun = FactTable
| join kind = inner (Temptable | where timestamp < ago(6h) and Message == "start") on AppName
| summarize arg_max(timestamp,*) by AppName
| project AppName,RunId;
let PreviousRun = FactTable
| join kind = inner (Temptable | where timestamp < ago(6h) and Message == "start") on AppName
| join kind= inner ( LatestRun) on AppName
| where RunId != RunId1
| summarize arg_max(timestamp,*) by AppName
| project AppName,RunId;
let CurrResult = FactTable
| join kind = leftouter (LatestRun) on AppName
| join kind = leftouter (Errortable) on AppName,RunId
| summarize Curr_ErrorCount = count(isnotempty(Error)) by AppName,RunId
| project AppName,Curr_RunId = RunId,Curr_ErrorCount;
let PrevResult = FactTable
| join kind = leftouter (PreviousRun) on AppName
| join kind = leftouter (Errortable) on AppName,RunId
| summarize Prev_ErrorCount = count(isnotempty(Error)) by AppName,RunId
| project AppName,Prev_RunId = RunId,Prev_ErrorCount;
LatestRun
| join kind = leftouter (CurrResult) on AppName
| join kind = leftouter (PrevResult) on AppName
| project AppName, Curr_RunId, Curr_ErrorCount, Prev_RunId,Prev_ErrorCount
| order by AppName asc
有没有更好的方法来实现这个目标?
据我所知,您的 "Edit 2" KQ 非常完美。
您也可以尝试以下方法,使用 top-nested:
let runs = Temptable
| where Message == "start"
| top-nested of AppName by min(1), top-nested 2 of RunId by timestamp=min(timestamp) desc;
runs
| join kind=leftouter Errortable on RunId
| summarize CountErrors=countif(isnotempty(Error)), timestamp = max(timestamp) by AppName, RunId
| order by AppName asc, timestamp desc
| extend P = pack_all()
| summarize runs = make_list(P) by AppName
| project AppName = runs[0].AppName, Cur_RunId = runs[0].RunId, Cur_ErrorCount = runs[0].CountErrors, Prev_RunId = runs[1].RunId, Prev_ErrorCount = runs[1].CountErrors