Kusto - 按持续时间值分组以显示数字
Kusto - Group by duration value to show numbers
我使用下面的查询来计算两个事件之间的时间差。但我不确定如何对 duraions 进行分组。我尝试了案例功能,但它似乎不起作用。有没有办法对持续时间进行分组。例如,饼图或柱形图显示持续时间超过 2 小时、超过 5 小时和超过 10 小时的项目数。谢谢
| where EventName in ('Handligrequest','Requestcomplete')
| summarize Time_diff = anyif(Timestamp,EventName == "SlackMessagePosted") - anyif(Timestamp,EventName == "ReceivedSlackMessage") by CorrelationId
| where isnotnull(Time_diff)
| extend Duration = format_timespan(Time_diff, 's')
| sort by Duration desc```
// Generate data sample. Not part of the solution
let t = materialize (range i from 1 to 1000 step 1 | extend Time_diff = 24h*rand());
// Solution Starts here
t
| summarize count() by time_diff_range = case(Time_diff >= 10h, "10h <= x", Time_diff >= 5h, "5h <= x < 10h", Time_diff >= 2h, "2h <= x < 5h", "x < 2h")
| render piechart
time_diff_range
count_
10h <= x
590
5h <= x < 10h
209
x < 2h
89
2h <= x < 5h
112
我使用下面的查询来计算两个事件之间的时间差。但我不确定如何对 duraions 进行分组。我尝试了案例功能,但它似乎不起作用。有没有办法对持续时间进行分组。例如,饼图或柱形图显示持续时间超过 2 小时、超过 5 小时和超过 10 小时的项目数。谢谢
| where EventName in ('Handligrequest','Requestcomplete')
| summarize Time_diff = anyif(Timestamp,EventName == "SlackMessagePosted") - anyif(Timestamp,EventName == "ReceivedSlackMessage") by CorrelationId
| where isnotnull(Time_diff)
| extend Duration = format_timespan(Time_diff, 's')
| sort by Duration desc```
// Generate data sample. Not part of the solution
let t = materialize (range i from 1 to 1000 step 1 | extend Time_diff = 24h*rand());
// Solution Starts here
t
| summarize count() by time_diff_range = case(Time_diff >= 10h, "10h <= x", Time_diff >= 5h, "5h <= x < 10h", Time_diff >= 2h, "2h <= x < 5h", "x < 2h")
| render piechart
| time_diff_range | count_ |
|---|---|
| 10h <= x | 590 |
| 5h <= x < 10h | 209 |
| x < 2h | 89 |
| 2h <= x < 5h | 112 |