分组或加入没有共同事件 ID 的多个数据事件

Group or Join multiple data events without a common event id

源数据:

Host Alert EventTime EventStatus
host1 WAN PING 05:40 WARNING
host1 WAN PING 05:58 CRITICAL
host1 WAN PING 06:30 OK
host1 WAN PING 06:40 WARNING
host1 WAN PING 07:30 OK
host2 WAN PING 05:42 WARNING
host2 WAN PING 05:46 OK
host2 WAN PING 06:40 WARNING
host2 WAN PING 06:58 CRITICAL
host2 WAN PING 07:30 OK
host3 WAN PING 06:30 WARNING
host3 WAN PING 07:30 OK

我需要 return 每个警报事件的持续时间。

host eventStart eventEnd eventDuration
host1 05:40 06:30 00:50
host1 06:40 07:30 00:50
host2 05:42 05:46 00:04
host2 06:40 07:30 00:50
host3 06:30 07:30 01:00

恐怕没有唯一的 eventID 来对数据进行分组,运行 join

我的尝试适用于只有一个 'event'

的主机
T
| where Host == 'host3'
| summarize min(eventTime), max(eventTime) by Host

哪个 return 想要的输出,但是如果我 运行 这反对 host1 min=05:40 max=07:30

有没有办法按 EventStatus 对这些事件进行分组?

您可以使用 row_window_session()https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/row-window-session-function

datatable(Host:string, Alert:string, EventTime:datetime, EventStatus:string)
[
    'host1', 'WAN PING', datetime(2020-12-16 05:40), 'WARNING',
    'host1', 'WAN PING', datetime(2020-12-16 05:58), 'CRITICAL',
    'host1', 'WAN PING', datetime(2020-12-16 06:30), 'OK',
    'host1', 'WAN PING', datetime(2020-12-16 06:40), 'WARNING',
    'host1', 'WAN PING', datetime(2020-12-16 07:30), 'OK',
    'host2', 'WAN PING', datetime(2020-12-16 05:42), 'WARNING',
    'host2', 'WAN PING', datetime(2020-12-16 05:46), 'OK',
    'host2', 'WAN PING', datetime(2020-12-16 06:40), 'WARNING',
    'host2', 'WAN PING', datetime(2020-12-16 06:58), 'CRITICAL',
    'host2', 'WAN PING', datetime(2020-12-16 07:30), 'OK',
    'host3', 'WAN PING', datetime(2020-12-16 06:30), 'WARNING',
    'host3', 'WAN PING', datetime(2020-12-16 07:30), 'OK',
]
| order by Host asc, EventTime asc 
| extend session_start = row_window_session(EventTime, 1d, 1d, Host != prev(Host) or prev(EventStatus) == "OK")
| summarize eventStart = min(EventTime), eventEnd = max(EventTime) by session_start, Host
| project Host, eventStart, eventEnd, duration = eventEnd - eventStart
| order by Host asc, eventStart asc