Kusto:将结果集中的每一行与另一行进行比较 table
Kusto: compare each row in a resultset with another table
我有两个 table:
事件表
和子类别 table:
我希望用“dataflow”子类别标记 EventsTable 中的所有行,因为关键字:cpu、dataflow 和 cpupct 属于子类别 dataflow。
我正在寻找具有如下逻辑的查询:
let Subcategory = datatable(subcategory:string, keywords:dynamic )
[
'saturacion', dynamic(["saturation","infrastructure"]),
'slow disk',dynamic(["low","disk","space"]),
'saturacion',dynamic(["using","win","use"]),
'saturacion',dynamic(["used","win","utilization","percentage"]),
'swap memory',dynamic(["swap","memory","usage"]),
'disk full',dynamic(["disk","free","size","filesystemspace"]),
'dataflow',dynamic(["cpu","dataflow","cpupct"])
];
let EventsTable = datatable(ID:string, category:string, words:dynamic )
[
'mcsc1','cpu',dynamic(["swap","memory","usage"]),
'mcsc2','cpu',dynamic(["disk","free","size","filesystemspace"]),
'mcsc3','cpu',dynamic(["cpu","dataflow","cpupct"])
];
EventsTable
| mv-apply Subcategory on
(
extend subcat=iff(
array_length(set_intersect(words, Subcategory.keywords)) == array_length(Subcategory.keywords),
Subcategory.subcategory, 'none')
)
您可以尝试以下方法(虽然我不确定这是解决此问题的最佳方法):
let Subcategory = datatable(subcategory:string, keywords:dynamic )
[
'saturacion', dynamic(["saturation","infrastructure"]),
'slow disk',dynamic(["low","disk","space"]),
'saturacion',dynamic(["using","win","use"]),
'saturacion',dynamic(["used","win","utilization","percentage"]),
'swap memory',dynamic(["swap","memory","usage"]),
'disk full',dynamic(["disk","free","size","filesystemspace"]),
'dataflow',dynamic(["cpu","dataflow","cpupct"])
];
let EventsTable = datatable(ID:string, category:string, words:dynamic )
[
'mcsc1','cpu',dynamic(["swap","memory","usage"]),
'mcsc2','cpu',dynamic(["disk","free","size","filesystemspace"]),
'mcsc3','cpu',dynamic(["cpu","dataflow","cpupct"])
];
EventsTable | extend Temp=1
| join kind=inner (Subcategory | extend Temp=1) on Temp
| extend subcat = iff(array_length(set_intersect(words, keywords)) == array_length(keywords), category, 'none')
| project-away Temp, Temp1
我有两个 table:
事件表
和子类别 table:
我希望用“dataflow”子类别标记 EventsTable 中的所有行,因为关键字:cpu、dataflow 和 cpupct 属于子类别 dataflow。
我正在寻找具有如下逻辑的查询:
let Subcategory = datatable(subcategory:string, keywords:dynamic )
[
'saturacion', dynamic(["saturation","infrastructure"]),
'slow disk',dynamic(["low","disk","space"]),
'saturacion',dynamic(["using","win","use"]),
'saturacion',dynamic(["used","win","utilization","percentage"]),
'swap memory',dynamic(["swap","memory","usage"]),
'disk full',dynamic(["disk","free","size","filesystemspace"]),
'dataflow',dynamic(["cpu","dataflow","cpupct"])
];
let EventsTable = datatable(ID:string, category:string, words:dynamic )
[
'mcsc1','cpu',dynamic(["swap","memory","usage"]),
'mcsc2','cpu',dynamic(["disk","free","size","filesystemspace"]),
'mcsc3','cpu',dynamic(["cpu","dataflow","cpupct"])
];
EventsTable
| mv-apply Subcategory on
(
extend subcat=iff(
array_length(set_intersect(words, Subcategory.keywords)) == array_length(Subcategory.keywords),
Subcategory.subcategory, 'none')
)
您可以尝试以下方法(虽然我不确定这是解决此问题的最佳方法):
let Subcategory = datatable(subcategory:string, keywords:dynamic )
[
'saturacion', dynamic(["saturation","infrastructure"]),
'slow disk',dynamic(["low","disk","space"]),
'saturacion',dynamic(["using","win","use"]),
'saturacion',dynamic(["used","win","utilization","percentage"]),
'swap memory',dynamic(["swap","memory","usage"]),
'disk full',dynamic(["disk","free","size","filesystemspace"]),
'dataflow',dynamic(["cpu","dataflow","cpupct"])
];
let EventsTable = datatable(ID:string, category:string, words:dynamic )
[
'mcsc1','cpu',dynamic(["swap","memory","usage"]),
'mcsc2','cpu',dynamic(["disk","free","size","filesystemspace"]),
'mcsc3','cpu',dynamic(["cpu","dataflow","cpupct"])
];
EventsTable | extend Temp=1
| join kind=inner (Subcategory | extend Temp=1) on Temp
| extend subcat = iff(array_length(set_intersect(words, keywords)) == array_length(keywords), category, 'none')
| project-away Temp, Temp1