如何在 pivot for azure log alerts 之后索引 kusto 查询中的列
How to index a column in kusto query after pivot for azure log alerts
我有以下 kusto 查询在 Azure 中用作日志查询
traces
| where message contains "SWSE"
| extend d=parse_json(message)
| extend Info=tostring(d.message)
| where Info startswith "Borrow Token" or Info startswith "Return Token"
| extend tAction = tostring( split(Info,' ',0)[0])
| summarize count_=count() by tAction, timebox=bin(timestamp, 10m)
| evaluate pivot(tAction,sum(count_))
| extend diff = abs(Borrow-Return)
| where diff>2
导致
但是,此行在导入日志警报时被标记为错误,而不是在 运行 针对 Azure 日志时。
| extend diff = abs(Borrow-Return)
错误:
The request had some invalid properties
还有其他方法可以引用这些列吗?
pivot() 插件的输出模式不是确定性的,取决于输入数据 - 如果您期望的列实际上不存在,您可能需要使用 column_ifexists()输出模式。
例如:
| extend diff = abs(column_ifexists("Borrow", 0) - column_ifexists("Return", 0))
我有以下 kusto 查询在 Azure 中用作日志查询
traces
| where message contains "SWSE"
| extend d=parse_json(message)
| extend Info=tostring(d.message)
| where Info startswith "Borrow Token" or Info startswith "Return Token"
| extend tAction = tostring( split(Info,' ',0)[0])
| summarize count_=count() by tAction, timebox=bin(timestamp, 10m)
| evaluate pivot(tAction,sum(count_))
| extend diff = abs(Borrow-Return)
| where diff>2
导致
但是,此行在导入日志警报时被标记为错误,而不是在 运行 针对 Azure 日志时。
| extend diff = abs(Borrow-Return)
错误:
The request had some invalid properties
还有其他方法可以引用这些列吗?
pivot() 插件的输出模式不是确定性的,取决于输入数据 - 如果您期望的列实际上不存在,您可能需要使用 column_ifexists()输出模式。
例如:
| extend diff = abs(column_ifexists("Borrow", 0) - column_ifexists("Return", 0))