Kusto 查询以随时间获取事件的百分比值

Kusto query to get percentage value of events over time

我在 Azure 日志分析中有一个 Kusto/KQL 查询,它聚合了一段时间内的事件计数,例如:

customEvents
| where name == "EventICareAbout"
| extend channel = customDimensions["ChannelName"]
| summarize events=count() by bin(timestamp, 1m), tostring(channel)

这给出了每分钟桶中事件计数的良好结果集。

但是这个计数是相当没有意义的,我想知道这个计数是否与上一小时的平均值不同。

但我什至不确定如何开始构建类似的东西。

有什么指点吗?

有几种方法可以实现这一点,首先,计算每小时平均值作为附加列,然后计算与每小时平均值的差异:

let minuteValues = customEvents
| where name == "EventICareAbout"
| extend channel = customDimensions["ChannelName"]
| summarize events=count() by bin(timestamp, 1m), tostring(channel)
| extend Day = startofday(timestamp), hour =hourofday(timestamp);
let hourlyAverage = customEvents
| where name == "EventICareAbout"
| extend channel = customDimensions["ChannelName"]
| summarize events=count() by bin(timestamp, 1m), tostring(channel)
| summarize hourlyAvgEvents = avg(events) by bin(timestamp,1h), tostring(channel)
| extend Day = startofday(timestamp),hour =hourofday(timestamp);
minuteValues
| lookup hourlyAverage on hour, Day
| extend Diff = events- hourlyAvgEvents

另一种选择是使用内置 Anomaly detection