分组或加入没有共同事件 ID 的多个数据事件
Group or Join multiple data events without a common event id
源数据:
Host
Alert
EventTime
EventStatus
host1
WAN PING
05:40
WARNING
host1
WAN PING
05:58
CRITICAL
host1
WAN PING
06:30
OK
host1
WAN PING
06:40
WARNING
host1
WAN PING
07:30
OK
host2
WAN PING
05:42
WARNING
host2
WAN PING
05:46
OK
host2
WAN PING
06:40
WARNING
host2
WAN PING
06:58
CRITICAL
host2
WAN PING
07:30
OK
host3
WAN PING
06:30
WARNING
host3
WAN PING
07:30
OK
我需要 return 每个警报事件的持续时间。
host
eventStart
eventEnd
eventDuration
host1
05:40
06:30
00:50
host1
06:40
07:30
00:50
host2
05:42
05:46
00:04
host2
06:40
07:30
00:50
host3
06:30
07:30
01:00
恐怕没有唯一的 eventID 来对数据进行分组,运行 join
我的尝试适用于只有一个 'event'
的主机
T
| where Host == 'host3'
| summarize min(eventTime), max(eventTime) by Host
哪个 return 想要的输出,但是如果我 运行 这反对 host1
min=05:40 max=07:30
有没有办法按 EventStatus 对这些事件进行分组?
您可以使用 row_window_session()
:https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/row-window-session-function
datatable(Host:string, Alert:string, EventTime:datetime, EventStatus:string)
[
'host1', 'WAN PING', datetime(2020-12-16 05:40), 'WARNING',
'host1', 'WAN PING', datetime(2020-12-16 05:58), 'CRITICAL',
'host1', 'WAN PING', datetime(2020-12-16 06:30), 'OK',
'host1', 'WAN PING', datetime(2020-12-16 06:40), 'WARNING',
'host1', 'WAN PING', datetime(2020-12-16 07:30), 'OK',
'host2', 'WAN PING', datetime(2020-12-16 05:42), 'WARNING',
'host2', 'WAN PING', datetime(2020-12-16 05:46), 'OK',
'host2', 'WAN PING', datetime(2020-12-16 06:40), 'WARNING',
'host2', 'WAN PING', datetime(2020-12-16 06:58), 'CRITICAL',
'host2', 'WAN PING', datetime(2020-12-16 07:30), 'OK',
'host3', 'WAN PING', datetime(2020-12-16 06:30), 'WARNING',
'host3', 'WAN PING', datetime(2020-12-16 07:30), 'OK',
]
| order by Host asc, EventTime asc
| extend session_start = row_window_session(EventTime, 1d, 1d, Host != prev(Host) or prev(EventStatus) == "OK")
| summarize eventStart = min(EventTime), eventEnd = max(EventTime) by session_start, Host
| project Host, eventStart, eventEnd, duration = eventEnd - eventStart
| order by Host asc, eventStart asc
源数据:
Host | Alert | EventTime | EventStatus |
---|---|---|---|
host1 | WAN PING | 05:40 | WARNING |
host1 | WAN PING | 05:58 | CRITICAL |
host1 | WAN PING | 06:30 | OK |
host1 | WAN PING | 06:40 | WARNING |
host1 | WAN PING | 07:30 | OK |
host2 | WAN PING | 05:42 | WARNING |
host2 | WAN PING | 05:46 | OK |
host2 | WAN PING | 06:40 | WARNING |
host2 | WAN PING | 06:58 | CRITICAL |
host2 | WAN PING | 07:30 | OK |
host3 | WAN PING | 06:30 | WARNING |
host3 | WAN PING | 07:30 | OK |
我需要 return 每个警报事件的持续时间。
host | eventStart | eventEnd | eventDuration |
---|---|---|---|
host1 | 05:40 | 06:30 | 00:50 |
host1 | 06:40 | 07:30 | 00:50 |
host2 | 05:42 | 05:46 | 00:04 |
host2 | 06:40 | 07:30 | 00:50 |
host3 | 06:30 | 07:30 | 01:00 |
恐怕没有唯一的 eventID 来对数据进行分组,运行 join
我的尝试适用于只有一个 'event'
的主机T
| where Host == 'host3'
| summarize min(eventTime), max(eventTime) by Host
哪个 return 想要的输出,但是如果我 运行 这反对 host1
min=05:40 max=07:30
有没有办法按 EventStatus 对这些事件进行分组?
您可以使用 row_window_session()
:https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/row-window-session-function
datatable(Host:string, Alert:string, EventTime:datetime, EventStatus:string)
[
'host1', 'WAN PING', datetime(2020-12-16 05:40), 'WARNING',
'host1', 'WAN PING', datetime(2020-12-16 05:58), 'CRITICAL',
'host1', 'WAN PING', datetime(2020-12-16 06:30), 'OK',
'host1', 'WAN PING', datetime(2020-12-16 06:40), 'WARNING',
'host1', 'WAN PING', datetime(2020-12-16 07:30), 'OK',
'host2', 'WAN PING', datetime(2020-12-16 05:42), 'WARNING',
'host2', 'WAN PING', datetime(2020-12-16 05:46), 'OK',
'host2', 'WAN PING', datetime(2020-12-16 06:40), 'WARNING',
'host2', 'WAN PING', datetime(2020-12-16 06:58), 'CRITICAL',
'host2', 'WAN PING', datetime(2020-12-16 07:30), 'OK',
'host3', 'WAN PING', datetime(2020-12-16 06:30), 'WARNING',
'host3', 'WAN PING', datetime(2020-12-16 07:30), 'OK',
]
| order by Host asc, EventTime asc
| extend session_start = row_window_session(EventTime, 1d, 1d, Host != prev(Host) or prev(EventStatus) == "OK")
| summarize eventStart = min(EventTime), eventEnd = max(EventTime) by session_start, Host
| project Host, eventStart, eventEnd, duration = eventEnd - eventStart
| order by Host asc, eventStart asc