确定用户在 Kusto 中总结的参加事件之间经过的时间？

Question

EmpId   Terminal    TimeStamp
1   A   2021-11-16 05:00:15
2   B   2021-11-16 05:00:15
1   B   2021-11-16 06:05:00
2   C   2021-11-16 09:00:15
1   A   2021-11-16 08:00:15
2   B   2021-11-16 11:00:15

**DataTable**
let T = datatable(EmpId:string , Terminal:string, TimeStamp:datetime )
[
   "1", "A", datetime(2021-11-16 05:00:15),
   "2", "B", datetime(2021-11-16 05:00:15),
   "1", "B", datetime(2021-11-16 06:05:00),
   "1", "A", datetime(2021-11-16 08:00:15),
   "2", "B", datetime(2021-11-16 11:00:15),
   "2", "C", datetime(2021-11-16 09:00:15),
];
T   
    | order by TimeStamp asc
    | extend elapsedTime = datetime_diff('minute', next(TimeStamp), TimeStamp)
| summarize Travelled=count(), TerminalT = strcat_array(make_list(Terminal), "->"), TimeStamp=strcat_array(make_list(TimeStamp), "->"),  ElapsTime=strcat_array(make_list(elapsedTime), "->") by EmpId

预期结果：
EmpId 终端时间戳 TimeSpentinMins 1 A->B->A 2021-11-16 05:00:15 - >2021-11-16 06:05:00->2021-11-18 08:00:15 65->115 2 B->C->B 2021-11-16 05:00:15->2021-11-16 09:00:15->2021-11-16 11:00:15 240->120

Expected Result

没有得到预期的结果，因为 serialize/order by 子句需要重新排序事件。需要一种方法来按员工 ID 分组，然后在每个组中按 TimeStamp 排序，以便按预期计算经过的时间。可行吗？

Answer 1

请参阅下面的 2 个选项。对于更大的数据集，第二个应该表现更好。

选项 #1

let T = datatable(EmpId:string , Terminal:string, TimeStamp:datetime )
[
   "1", "A", datetime(2021-11-16 05:00:15),
   "2", "B", datetime(2021-11-16 05:00:15),
   "1", "B", datetime(2021-11-16 06:05:00),
   "1", "A", datetime(2021-11-16 08:00:15),
   "2", "B", datetime(2021-11-16 11:00:15),
   "2", "C", datetime(2021-11-16 09:00:15),
];
T   
| order by EmpId, TimeStamp asc
| extend elapsedTime = iff(next(EmpId) == EmpId, datetime_diff('minute', next(TimeStamp), TimeStamp), long(null))
| summarize Travelled=count(), 
TerminalT = strcat_array(make_list(Terminal), "->"), 
TimeStamp=strcat_array(make_list(TimeStamp), "->"),  ElapsTime=strcat_array(make_list_if(elapsedTime, elapsedTime != long(null)), "->") by EmpId

EmpId	Travelled	TerminalT	TimeStamp	ElapsTime
2	3	B->C->B	2021-11-16T05:00:15.0000000Z->2021-11-16T09:00:15.0000000Z->2021-11-16T11:00:15.0000000Z	240->120
1	3	A->B->A	2021-11-16T05:00:15.0000000Z->2021-11-16T06:05:00.0000000Z->2021-11-16T08:00:15.0000000Z	65->115

选项 #2：使用 partition operator

let T = datatable(EmpId:string , Terminal:string, TimeStamp:datetime )
[
   "1", "A", datetime(2021-11-16 05:00:15),
   "2", "B", datetime(2021-11-16 05:00:15),
   "1", "B", datetime(2021-11-16 06:05:00),
   "1", "A", datetime(2021-11-16 08:00:15),
   "2", "B", datetime(2021-11-16 11:00:15),
   "2", "C", datetime(2021-11-16 09:00:15),
];
T 
| partition hint.strategy=native by EmpId
(
    order by TimeStamp asc
    | extend elapsedTime = datetime_diff('minute', next(TimeStamp), TimeStamp)
    | summarize Travelled=count(), 
    TerminalT = strcat_array(make_list(Terminal), "->"), 
    TimeStamp=strcat_array(make_list(TimeStamp), "->"),  ElapsTime=strcat_array(make_list(elapsedTime), "->") by EmpId
)

EmpId	Travelled	TerminalT	TimeStamp	ElapsTime
1	3	A->B->A	2021-11-16T05:00:15.0000000Z->2021-11-16T06:05:00.0000000Z->2021-11-16T08:00:15.0000000Z	65->115
2	3	B->C->B	2021-11-16T05:00:15.0000000Z->2021-11-16T09:00:15.0000000Z->2021-11-16T11:00:15.0000000Z	240->120

确定用户在 Kusto 中总结的参加事件之间经过的时间？

Determine elapsed time between events attended summarized by users in Kusto?

summarize

kql

azure-data-explorer