azure kusto 加入多个 graph/table 二一
azure kusto join multiple graph/table two one
我尝试将我现在拥有的两个图表(按预期工作)合并为一个以显示 In 和 out。我使用了 join 命令,我认为它有效但没有。我错过了什么吗?
syslog_CL
| where data_s contains "out"
| where hostname_s contains "interface"
| where TimeGenerated > ago(1hr)
| summarize Reject=dcount(data_s) by bin(TimeGenerated, 5m)
| project Reject
| join kind = inner (
syslog_CL
| where data_s contains "in"
| where hostname_s contains "interface"
| where TimeGenerated > ago(1hr)
| summarize allow=dcount(data_s) by bin(TimeGenerated, 5m)
| project allow
)
| order by timestamp asc
您可以试试这个,使用 dcountif() 聚合函数:
syslog_CL
| where TimeGenerated > ago(1hr)
| where hostname_s contains "interface"
| summarize reject = dcountif(data_s, data_s contains "out"),
allow = dcountif(data_s, data_s contains "in")
by bin(TimeGenerated, 5m)
| render timechart
我尝试将我现在拥有的两个图表(按预期工作)合并为一个以显示 In 和 out。我使用了 join 命令,我认为它有效但没有。我错过了什么吗?
syslog_CL
| where data_s contains "out"
| where hostname_s contains "interface"
| where TimeGenerated > ago(1hr)
| summarize Reject=dcount(data_s) by bin(TimeGenerated, 5m)
| project Reject
| join kind = inner (
syslog_CL
| where data_s contains "in"
| where hostname_s contains "interface"
| where TimeGenerated > ago(1hr)
| summarize allow=dcount(data_s) by bin(TimeGenerated, 5m)
| project allow
)
| order by timestamp asc
您可以试试这个,使用 dcountif() 聚合函数:
syslog_CL
| where TimeGenerated > ago(1hr)
| where hostname_s contains "interface"
| summarize reject = dcountif(data_s, data_s contains "out"),
allow = dcountif(data_s, data_s contains "in")
by bin(TimeGenerated, 5m)
| render timechart