Kusto - Avgif、Min、Max 和 Median
Kusto - Avgif, Min , Max and Median
我正在将以下 Splunk 查询转换为 Kusto
avg(eval(if(Test="Success", Duration, null()))) as AvgDuration
如果测试成功,此查询将 return 持续时间的平均值,否则 return 空值。如果下面的 Kusto 查询将 return 与我没有看到匹配的数字
相同的结果,你能请教一下吗
| summarize AvgDuration = avgif (Duration, Test = "Success")
请问如何在相同条件下计算最小值、最大值和中值。谢谢
对于最小值和最大值,您可以这样做:
let T = datatable(Test:string, Duration:timespan)["Success", timespan(05:03:01.78),"Success", timespan(15:00:06.28),"Success", timespan(02:03:05.98),"Fail", timespan(00:03:01.28)];
T
| summarize AvgDuration = avgif (Duration, Test == "Success"),
MinDuration = minif (Duration, Test == "Success"),
MaxDuration = maxif (Duration, Test == "Success")
AvgDuration
MinDuration
MaxDuration
07:22:04.6800000
02:03:05.9800000
15:00:06.2800000
percentile() 聚合函数没有“if”版本,因此您需要对其进行单独计算。最简单的做法是先过滤再聚合,例如:
let T = datatable(Test:string, Duration:timespan)["Success", timespan(05:03:01.78),"Success", timespan(15:00:06.28),"Success", timespan(02:03:05.98),"Fail", timespan(00:03:01.28)];
T
| where Test == "Success"
| summarize AvgDuration = avg(Duration),
MinDuration = min(Duration),
MaxDuration = max(Duration),
Median = percentile(Duration, 50)
AvgDuration
MinDuration
MaxDuration
Median
07:22:04.6800000
02:03:05.9800000
15:00:06.2800000
05:03:01.7800000
但是,有时您希望在对条件进行聚合的同时对整个数据集进行聚合。如果是这种情况,您将需要 运行 两个查询并加入它们。例如,假设您要包括完整计数:
let T = datatable(Test:string, Duration:timespan)["Success", timespan(05:03:01.78),"Success", timespan(15:00:06.28),"Success", timespan(02:03:05.98),"Fail", timespan(00:03:01.28)];
let T1 = T
| summarize AvgDuration = avgif (Duration, Test == "Success"),
MinDuration = minif (Duration, Test == "Success"),
MaxDuration = maxif (Duration, Test == "Success"),
TotalCount = count()
| extend Dummy = 1;
let T2 = T
| where Test == "Success"
| summarize Median = percentile(Duration, 50)
| extend Dummy = 1;
T1
| lookup T2 on Dummy
| project-away Dummy
AvgDuration
MinDuration
MaxDuration
TotalCount
Median
07:22:04.6800000
02:03:05.9800000
15:00:06.2800000
4
05:03:01.7800000
如果在聚合之前有繁重的处理,您可能要考虑在 T.
的计算周围使用 materialize() 函数
我正在将以下 Splunk 查询转换为 Kusto
avg(eval(if(Test="Success", Duration, null()))) as AvgDuration
如果测试成功,此查询将 return 持续时间的平均值,否则 return 空值。如果下面的 Kusto 查询将 return 与我没有看到匹配的数字
相同的结果,你能请教一下吗| summarize AvgDuration = avgif (Duration, Test = "Success")
请问如何在相同条件下计算最小值、最大值和中值。谢谢
对于最小值和最大值,您可以这样做:
let T = datatable(Test:string, Duration:timespan)["Success", timespan(05:03:01.78),"Success", timespan(15:00:06.28),"Success", timespan(02:03:05.98),"Fail", timespan(00:03:01.28)];
T
| summarize AvgDuration = avgif (Duration, Test == "Success"),
MinDuration = minif (Duration, Test == "Success"),
MaxDuration = maxif (Duration, Test == "Success")
| AvgDuration | MinDuration | MaxDuration |
|---|---|---|
| 07:22:04.6800000 | 02:03:05.9800000 | 15:00:06.2800000 |
percentile() 聚合函数没有“if”版本,因此您需要对其进行单独计算。最简单的做法是先过滤再聚合,例如:
let T = datatable(Test:string, Duration:timespan)["Success", timespan(05:03:01.78),"Success", timespan(15:00:06.28),"Success", timespan(02:03:05.98),"Fail", timespan(00:03:01.28)];
T
| where Test == "Success"
| summarize AvgDuration = avg(Duration),
MinDuration = min(Duration),
MaxDuration = max(Duration),
Median = percentile(Duration, 50)
| AvgDuration | MinDuration | MaxDuration | Median |
|---|---|---|---|
| 07:22:04.6800000 | 02:03:05.9800000 | 15:00:06.2800000 | 05:03:01.7800000 |
但是,有时您希望在对条件进行聚合的同时对整个数据集进行聚合。如果是这种情况,您将需要 运行 两个查询并加入它们。例如,假设您要包括完整计数:
let T = datatable(Test:string, Duration:timespan)["Success", timespan(05:03:01.78),"Success", timespan(15:00:06.28),"Success", timespan(02:03:05.98),"Fail", timespan(00:03:01.28)];
let T1 = T
| summarize AvgDuration = avgif (Duration, Test == "Success"),
MinDuration = minif (Duration, Test == "Success"),
MaxDuration = maxif (Duration, Test == "Success"),
TotalCount = count()
| extend Dummy = 1;
let T2 = T
| where Test == "Success"
| summarize Median = percentile(Duration, 50)
| extend Dummy = 1;
T1
| lookup T2 on Dummy
| project-away Dummy
| AvgDuration | MinDuration | MaxDuration | TotalCount | Median |
|---|---|---|---|---|
| 07:22:04.6800000 | 02:03:05.9800000 | 15:00:06.2800000 | 4 | 05:03:01.7800000 |
如果在聚合之前有繁重的处理,您可能要考虑在 T.