Kusto - "max(_time) as time by jobid | sort -time" 的 Splunk 到 Kusto 查询转换
Kusto - Splunk to Kusto Query conversion for "max(_time) as time by jobid | sort -time"
我正在进行 Splunk 到 Kusto 仪表板的转换。您能否告诉我如何将以下 Splunk 查询转换为 Kusto
我了解结果的过滤器,但我被困在它用 max(_time) as time by jobid 进行总结的地方 |排序时间
| stats count(eval(result=="failed")) as failed count(eval(result=="succeess" OR result=="progress")) as succeeded max(_time) as time by jobid | sort -time
应该是这样的:
| summarize failed = countif(result=="failed"),
succeeded = countif(result=="succeess" or result=="progress"),
['time'] = max(_time) by jobid
| sort by ['time'] desc
我正在进行 Splunk 到 Kusto 仪表板的转换。您能否告诉我如何将以下 Splunk 查询转换为 Kusto
我了解结果的过滤器,但我被困在它用 max(_time) as time by jobid 进行总结的地方 |排序时间
| stats count(eval(result=="failed")) as failed count(eval(result=="succeess" OR result=="progress")) as succeeded max(_time) as time by jobid | sort -time
应该是这样的:
| summarize failed = countif(result=="failed"),
succeeded = countif(result=="succeess" or result=="progress"),
['time'] = max(_time) by jobid
| sort by ['time'] desc