Kusto - 确定失败的操作是否是汇总组中的最后一个操作并打印该操作和用户详细信息
Kusto - Identify if a a failed operation is the last operation in a summarized group and print that operation and user details
很有诱惑力
let TempTable =datatable(timeStamp:datetime, fName:string, lName:string, opName:string, result:string, location:string, error:string)
[
'2022-02-17 16:47', 'abc', 'cde' , 'PUT' ,0, 'loc1', "success",
'2022-02-18 16:47', 'abc', 'cde' , 'Patch' ,1, 'loc1', "warning",
'2022-02-19 16:47', 'abc', 'cde' , 'Patch' ,2, 'loc1',"specific error",
'2022-02-20 16:47', 'abc', 'cde' , 'Delete' ,2, 'loc1',"error",
'2022-03-01 19:47', 'xyz', 'uvw' , 'PUT' ,0, 'loc2',"success",
'2022-03-02 19:47', 'xyz', 'uvw' , 'Patch' ,2, 'loc2',"specific error",
'2022-03-03 19:47', 'xyz', 'uvw' , 'Delete' ,0, 'loc2',"success",
'2022-03-04 19:47', 'ijk', 'lmn' , 'PUT' ,0, 'loc3', "success",
'2022-01-17 22:47', 'ijk', 'lmn' , 'Patch' ,2, 'loc3',"error",
'2022-01-18 22:47', 'ijk', 'lmn' , 'Delete' ,0, 'loc3',"success",
'2022-01-19 22:47', 'ijk', 'lmn' , 'PUT' ,1, 'loc3',"warning",
'2022-01-20 22:47', 'ijk', 'lmn' , 'Patch' ,0, 'loc3', "success",
'2022-02-17 16:47', 'abc1', 'cde' , 'PUT' ,0, 'loc1', "success",
'2022-02-18 16:47', 'abc1', 'cde' , 'Patch' ,1, 'loc1', "warning",
'2022-02-19 16:47', 'abc1', 'cde' , 'Patch' ,2, 'loc1',"specific error",
];
TempTable | summarize by timeStamp, fName, lName, opName, result, location, error
Expected result -
>'2022-02-19 16:47', 'abc', 'cde' , 'Patch' ,2, 'loc1',"specific error",
>'2022-02-19 16:47', 'abc1', 'cde' , 'Patch' ,2, 'loc1',"specific error",
状态 0 - 成功
需要获取执行补丁操作失败(状态 2)并出现特定错误并且在补丁失败(出现特定错误)后未尝试其他操作或尝试但未尝试其他操作的用户的详细信息(上述预期输出)操作失败,直到现在。
第 1 步:您收到请求的特定错误或您已经在第 1 步,您还没有切换到另一个用户和当前记录结果是某种错误(包括特定错误)
第2步:您没有切换到其他用户,当前记录结果没有错误,您是第一次进入这一步
每个匹配项都从特定错误开始,然后是可选的附加错误,然后是可选的 non-error.
每个用户可能有多个匹配项。
对于每个用户的匹配,我们会发现它是如何结束的,并且我们会带来第一个特定错误的记录。
对于每个用户,我们获取最后一个匹配项并过滤以错误结束的用户。
let TempTable =datatable(timeStamp:datetime, fName:string, lName:string, opName:string, result:string, location:string, error:string)
[
'2022-02-17 16:47' ,'abc' ,'cde' ,'PUT' ,0 ,'loc1' ,"success",
'2022-02-18 16:47' ,'abc' ,'cde' ,'Patch' ,1 ,'loc1' ,"warning",
'2022-02-19 16:47' ,'abc' ,'cde' ,'Patch' ,2 ,'loc1' ,"specific error",
'2022-02-20 16:47' ,'abc' ,'cde' ,'Delete' ,2 ,'loc1' ,"error",
'2022-03-01 19:47' ,'xyz' ,'uvw' ,'PUT' ,0 ,'loc2' ,"success",
'2022-03-02 19:47' ,'xyz' ,'uvw' ,'Patch' ,2 ,'loc2' ,"specific error",
'2022-03-03 19:47' ,'xyz' ,'uvw' ,'Delete' ,0 ,'loc2' ,"success",
'2022-03-04 19:47' ,'ijk' ,'lmn' ,'PUT' ,0 ,'loc3' ,"success",
'2022-01-17 22:47' ,'ijk' ,'lmn' ,'Patch' ,2 ,'loc3' ,"error",
'2022-01-18 22:47' ,'ijk' ,'lmn' ,'Delete' ,0 ,'loc3' ,"success",
'2022-01-19 22:47' ,'ijk' ,'lmn' ,'PUT' ,1 ,'loc3' ,"warning",
'2022-01-20 22:47' ,'ijk' ,'lmn' ,'Patch' ,0 ,'loc3' ,"success",
'2022-02-17 16:47' ,'abc1' ,'cde' ,'PUT' ,0 ,'loc1' ,"success",
'2022-02-18 16:47' ,'abc1' ,'cde' ,'Patch' ,1 ,'loc1' ,"warning",
'2022-02-19 16:47' ,'abc1' ,'cde' ,'Patch' ,2 ,'loc1' ,"specific error"
];
TempTable
| extend specific_error_flag = opName == 'Patch' and result == 2 and error == 'specific error'
| order by fName, lName, timeStamp asc
| scan with_match_id = _mid
declare (is_valid:bool)
with
(
step s1 : specific_error_flag or (fName == s1.fName and lName == s1.lName and result == 2) => is_valid = false;
step s2 : fName == s1.fName and lName == s1.lName and result != 2 and isnull(s2.is_valid) => is_valid = true;
)
| summarize (_max_ts_mid,_max_ts_mid_is_valid) = arg_max(timeStamp,is_valid), _min_ts_mid = arg_min(iff(specific_error_flag,timeStamp,datetime(null)),*) by fName,lName,_mid
| summarize arg_max(_mid,*) by fName,lName
| where _max_ts_mid_is_valid == false
| project-away _*
fName
lName
timeStamp
opName
result
location
error
specific_error_flag
is_valid
abc1
cde
2022-02-19T16:47:00Z
Patch
2
loc1
specific error
true
false
abc
cde
2022-02-19T16:47:00Z
Patch
2
loc1
specific error
true
false
很有诱惑力
let TempTable =datatable(timeStamp:datetime, fName:string, lName:string, opName:string, result:string, location:string, error:string)
[
'2022-02-17 16:47', 'abc', 'cde' , 'PUT' ,0, 'loc1', "success",
'2022-02-18 16:47', 'abc', 'cde' , 'Patch' ,1, 'loc1', "warning",
'2022-02-19 16:47', 'abc', 'cde' , 'Patch' ,2, 'loc1',"specific error",
'2022-02-20 16:47', 'abc', 'cde' , 'Delete' ,2, 'loc1',"error",
'2022-03-01 19:47', 'xyz', 'uvw' , 'PUT' ,0, 'loc2',"success",
'2022-03-02 19:47', 'xyz', 'uvw' , 'Patch' ,2, 'loc2',"specific error",
'2022-03-03 19:47', 'xyz', 'uvw' , 'Delete' ,0, 'loc2',"success",
'2022-03-04 19:47', 'ijk', 'lmn' , 'PUT' ,0, 'loc3', "success",
'2022-01-17 22:47', 'ijk', 'lmn' , 'Patch' ,2, 'loc3',"error",
'2022-01-18 22:47', 'ijk', 'lmn' , 'Delete' ,0, 'loc3',"success",
'2022-01-19 22:47', 'ijk', 'lmn' , 'PUT' ,1, 'loc3',"warning",
'2022-01-20 22:47', 'ijk', 'lmn' , 'Patch' ,0, 'loc3', "success",
'2022-02-17 16:47', 'abc1', 'cde' , 'PUT' ,0, 'loc1', "success",
'2022-02-18 16:47', 'abc1', 'cde' , 'Patch' ,1, 'loc1', "warning",
'2022-02-19 16:47', 'abc1', 'cde' , 'Patch' ,2, 'loc1',"specific error",
];
TempTable | summarize by timeStamp, fName, lName, opName, result, location, error
Expected result -
>'2022-02-19 16:47', 'abc', 'cde' , 'Patch' ,2, 'loc1',"specific error",
>'2022-02-19 16:47', 'abc1', 'cde' , 'Patch' ,2, 'loc1',"specific error",
状态 0 - 成功
需要获取执行补丁操作失败(状态 2)并出现特定错误并且在补丁失败(出现特定错误)后未尝试其他操作或尝试但未尝试其他操作的用户的详细信息(上述预期输出)操作失败,直到现在。
第 1 步:您收到请求的特定错误或您已经在第 1 步,您还没有切换到另一个用户和当前记录结果是某种错误(包括特定错误)
第2步:您没有切换到其他用户,当前记录结果没有错误,您是第一次进入这一步
每个匹配项都从特定错误开始,然后是可选的附加错误,然后是可选的 non-error.
每个用户可能有多个匹配项。
对于每个用户的匹配,我们会发现它是如何结束的,并且我们会带来第一个特定错误的记录。
对于每个用户,我们获取最后一个匹配项并过滤以错误结束的用户。
let TempTable =datatable(timeStamp:datetime, fName:string, lName:string, opName:string, result:string, location:string, error:string)
[
'2022-02-17 16:47' ,'abc' ,'cde' ,'PUT' ,0 ,'loc1' ,"success",
'2022-02-18 16:47' ,'abc' ,'cde' ,'Patch' ,1 ,'loc1' ,"warning",
'2022-02-19 16:47' ,'abc' ,'cde' ,'Patch' ,2 ,'loc1' ,"specific error",
'2022-02-20 16:47' ,'abc' ,'cde' ,'Delete' ,2 ,'loc1' ,"error",
'2022-03-01 19:47' ,'xyz' ,'uvw' ,'PUT' ,0 ,'loc2' ,"success",
'2022-03-02 19:47' ,'xyz' ,'uvw' ,'Patch' ,2 ,'loc2' ,"specific error",
'2022-03-03 19:47' ,'xyz' ,'uvw' ,'Delete' ,0 ,'loc2' ,"success",
'2022-03-04 19:47' ,'ijk' ,'lmn' ,'PUT' ,0 ,'loc3' ,"success",
'2022-01-17 22:47' ,'ijk' ,'lmn' ,'Patch' ,2 ,'loc3' ,"error",
'2022-01-18 22:47' ,'ijk' ,'lmn' ,'Delete' ,0 ,'loc3' ,"success",
'2022-01-19 22:47' ,'ijk' ,'lmn' ,'PUT' ,1 ,'loc3' ,"warning",
'2022-01-20 22:47' ,'ijk' ,'lmn' ,'Patch' ,0 ,'loc3' ,"success",
'2022-02-17 16:47' ,'abc1' ,'cde' ,'PUT' ,0 ,'loc1' ,"success",
'2022-02-18 16:47' ,'abc1' ,'cde' ,'Patch' ,1 ,'loc1' ,"warning",
'2022-02-19 16:47' ,'abc1' ,'cde' ,'Patch' ,2 ,'loc1' ,"specific error"
];
TempTable
| extend specific_error_flag = opName == 'Patch' and result == 2 and error == 'specific error'
| order by fName, lName, timeStamp asc
| scan with_match_id = _mid
declare (is_valid:bool)
with
(
step s1 : specific_error_flag or (fName == s1.fName and lName == s1.lName and result == 2) => is_valid = false;
step s2 : fName == s1.fName and lName == s1.lName and result != 2 and isnull(s2.is_valid) => is_valid = true;
)
| summarize (_max_ts_mid,_max_ts_mid_is_valid) = arg_max(timeStamp,is_valid), _min_ts_mid = arg_min(iff(specific_error_flag,timeStamp,datetime(null)),*) by fName,lName,_mid
| summarize arg_max(_mid,*) by fName,lName
| where _max_ts_mid_is_valid == false
| project-away _*
| fName | lName | timeStamp | opName | result | location | error | specific_error_flag | is_valid |
|---|---|---|---|---|---|---|---|---|
| abc1 | cde | 2022-02-19T16:47:00Z | Patch | 2 | loc1 | specific error | true | false |
| abc | cde | 2022-02-19T16:47:00Z | Patch | 2 | loc1 | specific error | true | false |