每个用户 KQL 将 2 组汇总为 1 组
Summarize 2 sets into 1 set per user KQL
用户将 2 套汇总为 1 套的正确方法是什么?
例如下图:
我想创建一个新集(带问号的列),由用户组合 X_locations 和 Y_Locations 列。
我确实尝试了 strcat_array,但我不确定这些结果是否有效,有人知道这样做的正确方法吗?我设想这样的事情?:
| summarize whateverSetUnionFunctionHere(X_Locations,Y_Locations) by User
您可以使用 make_set() 函数,它将创建一个与输入中所有集合不同的集合。
您可以使用set_union()函数。
例如:
datatable(User:string, X_locations:dynamic, Y_locations:dynamic)
[
"user1", dynamic(["a"]), dynamic(["a"]),
"user2", dynamic(["b"]), dynamic(["c"]),
"user2", dynamic(["b"]), dynamic(["b"]),
]
| extend result = set_union(X_locations, Y_locations)
User
X_locations
Y_locations
result
user1
[
"a"
]
[
"a"
]
[
"a"
]
user2
[
"b"
]
[
"c"
]
[
"b",
"c"
]
user2
[
"b"
]
[
"b"
]
[
"b"
]
看来您正在寻找@Avnera 和@Yoni K 的组合。答案
datatable(User:string, X_locations:dynamic, Y_locations:dynamic)
[
"user1", dynamic(["a"]), dynamic(["a"]),
"user2", dynamic(["b","c"]), dynamic(["c"]),
"user2", dynamic(["b"]), dynamic(["b","d"]),
]
| summarize make_set(set_union(X_locations, Y_locations)) by User
User
set_
user1
["a"]
user2
["b","c","d"]
P.S.
有多种变体,例如set_union 可以替换为 array_concat
用户将 2 套汇总为 1 套的正确方法是什么?
例如下图:
我想创建一个新集(带问号的列),由用户组合 X_locations 和 Y_Locations 列。
我确实尝试了 strcat_array,但我不确定这些结果是否有效,有人知道这样做的正确方法吗?我设想这样的事情?:
| summarize whateverSetUnionFunctionHere(X_Locations,Y_Locations) by User
您可以使用 make_set() 函数,它将创建一个与输入中所有集合不同的集合。
您可以使用set_union()函数。
例如:
datatable(User:string, X_locations:dynamic, Y_locations:dynamic)
[
"user1", dynamic(["a"]), dynamic(["a"]),
"user2", dynamic(["b"]), dynamic(["c"]),
"user2", dynamic(["b"]), dynamic(["b"]),
]
| extend result = set_union(X_locations, Y_locations)
| User | X_locations | Y_locations | result |
|---|---|---|---|
| user1 | [ "a" ] |
[ "a" ] |
[ "a" ] |
| user2 | [ "b" ] |
[ "c" ] |
[ "b", "c" ] |
| user2 | [ "b" ] |
[ "b" ] |
[ "b" ] |
看来您正在寻找@Avnera 和@Yoni K 的组合。答案
datatable(User:string, X_locations:dynamic, Y_locations:dynamic)
[
"user1", dynamic(["a"]), dynamic(["a"]),
"user2", dynamic(["b","c"]), dynamic(["c"]),
"user2", dynamic(["b"]), dynamic(["b","d"]),
]
| summarize make_set(set_union(X_locations, Y_locations)) by User
| User | set_ |
|---|---|
| user1 | ["a"] |
| user2 | ["b","c","d"] |
P.S.
有多种变体,例如set_union 可以替换为 array_concat