如何使用 KQL 创建计算列“Flag”
How to create a calculated column " Flag" using KQL
timestamp
identifier
EDD
ward
2022-03-04T09:00:00Z
ab1
2022-03-06T09:00:00Z
h1
2022-03-04T11:45:00Z
ab1
2022-03-07T09:00:00Z
h1
2022-03-05T11:45:00Z
ab1
2022-03-09T09:00:00Z
h1
2022-03-06T11:45:00Z
ab1
2022-03-09T09:00:00Z
G1
2022-03-04T11:45:00Z
xy
2022-03-09T09:00:00Z
A1
2022-03-04T09:00:00Z
bc
2022-03-07T09:00:00Z
S1
2022-03-06T11:45:00Z
abc
2022-03-14T09:00:00Z
G1
2022-03-05T09:00:00Z
bc
2022-03-12T09:00:00Z
S1
2022-03-07T11:45:00Z
xyz
2022-03-10T09:00:00Z
Z1
2022-03-04T11:45:00Z
def
2022-03-09T09:00:00Z
A1
2022-03-06T11:45:00Z
def
2022-03-09T09:00:00Z
R1
2022-03-07T11:45:00Z
def
2022-03-09T09:00:00Z
H1
对于标识符的 EDD 中的每个更改,它应该标记 1
预期输出:
timestamp
identifier
EDD
ward
Flag
2022-03-04T09:00:00Z
ab1
2022-03-06T09:00:00Z
h1
2022-03-04T11:45:00Z
ab1
2022-03-07T09:00:00Z
h1
1
2022-03-05T11:45:00Z
ab1
2022-03-09T09:00:00Z
h1
1
2022-03-06T11:45:00Z
ab1
2022-03-09T09:00:00Z
G1
2022-03-04T11:45:00Z
xy
2022-03-09T09:00:00Z
A1
2022-03-04T09:00:00Z
bc
2022-03-07T09:00:00Z
S1
2022-03-06T11:45:00Z
abc
2022-03-14T09:00:00Z
G1
2022-03-05T09:00:00Z
bc
2022-03-12T09:00:00Z
S1
1
2022-03-07T11:45:00Z
xyz
2022-03-10T09:00:00Z
Z1
2022-03-04T11:45:00Z
def
2022-03-09T09:00:00Z
A1
2022-03-06T11:45:00Z
def
2022-03-09T09:00:00Z
R1
2022-03-07T11:45:00Z
def
2022-03-09T09:00:00Z
H1
您应该使用 prev() 函数:
<Your query>
| extend Flag = iff(EOD != prev(EOD), 1, 0)
请注意,为了使 prev() 起作用,extend 运算符的输入应为 serialized,例如,按某些列中的值排序。这是因为 Kusto 中的记录没有排序。
| timestamp | identifier | EDD | ward |
|---|---|---|---|
| 2022-03-04T09:00:00Z | ab1 | 2022-03-06T09:00:00Z | h1 |
| 2022-03-04T11:45:00Z | ab1 | 2022-03-07T09:00:00Z | h1 |
| 2022-03-05T11:45:00Z | ab1 | 2022-03-09T09:00:00Z | h1 |
| 2022-03-06T11:45:00Z | ab1 | 2022-03-09T09:00:00Z | G1 |
| 2022-03-04T11:45:00Z | xy | 2022-03-09T09:00:00Z | A1 |
| 2022-03-04T09:00:00Z | bc | 2022-03-07T09:00:00Z | S1 |
| 2022-03-06T11:45:00Z | abc | 2022-03-14T09:00:00Z | G1 |
| 2022-03-05T09:00:00Z | bc | 2022-03-12T09:00:00Z | S1 |
| 2022-03-07T11:45:00Z | xyz | 2022-03-10T09:00:00Z | Z1 |
| 2022-03-04T11:45:00Z | def | 2022-03-09T09:00:00Z | A1 |
| 2022-03-06T11:45:00Z | def | 2022-03-09T09:00:00Z | R1 |
| 2022-03-07T11:45:00Z | def | 2022-03-09T09:00:00Z | H1 |
对于标识符的 EDD 中的每个更改,它应该标记 1
预期输出:
| timestamp | identifier | EDD | ward | Flag |
|---|---|---|---|---|
| 2022-03-04T09:00:00Z | ab1 | 2022-03-06T09:00:00Z | h1 | |
| 2022-03-04T11:45:00Z | ab1 | 2022-03-07T09:00:00Z | h1 | 1 |
| 2022-03-05T11:45:00Z | ab1 | 2022-03-09T09:00:00Z | h1 | 1 |
| 2022-03-06T11:45:00Z | ab1 | 2022-03-09T09:00:00Z | G1 | |
| 2022-03-04T11:45:00Z | xy | 2022-03-09T09:00:00Z | A1 | |
| 2022-03-04T09:00:00Z | bc | 2022-03-07T09:00:00Z | S1 | |
| 2022-03-06T11:45:00Z | abc | 2022-03-14T09:00:00Z | G1 | |
| 2022-03-05T09:00:00Z | bc | 2022-03-12T09:00:00Z | S1 | 1 |
| 2022-03-07T11:45:00Z | xyz | 2022-03-10T09:00:00Z | Z1 | |
| 2022-03-04T11:45:00Z | def | 2022-03-09T09:00:00Z | A1 | |
| 2022-03-06T11:45:00Z | def | 2022-03-09T09:00:00Z | R1 | |
| 2022-03-07T11:45:00Z | def | 2022-03-09T09:00:00Z | H1 |
您应该使用 prev() 函数:
<Your query>
| extend Flag = iff(EOD != prev(EOD), 1, 0)
请注意,为了使 prev() 起作用,extend 运算符的输入应为 serialized,例如,按某些列中的值排序。这是因为 Kusto 中的记录没有排序。