在 kusto 中格式化结果
format the results in kusto
例子
在下面的示例中,我们需要汇总用户日志。
datatable(user:string, dt:datetime,page: string, value:int)
[
'chmod', datetime(2019-07-15), "page1", 1,
'ls', datetime(2019-07-02), "page2", 2,
'dir', datetime(2019-07-22), "page3", 3,
'mkdir', datetime(2019-07-14), "page4", 4,
'rm', datetime(2019-07-27), "page5", 5,
'pwd', datetime(2019-07-25), "page6", 6,
'rm', datetime(2019-07-23), "page7", 7,
'pwd', datetime(2019-07-25), "page8", 8,
]
| summarize commands_details = make_list(pack('dt', dt, 'page', page, "value", value)) by user
结果
最后一个示例查询中的结果将类似于
"user": pwd,
"commands_details": [
{
"dt": "2019-07-25T00:00:00.0000000Z",
"page": "page6",
"value": 6
},
{
"dt": "2019-07-25T00:00:00.0000000Z",
"page": "page8",
"value": 8
}
],
预期结果
但我需要如下结果
"user": pwd,
"commands_details": [
{
"dt": "2019-07-25T00:00:00.0000000Z",
"data":[
{"page": "page6", "value": 6},
{"page": "page8", "value": 8}
]
}
],
问题
Kusto 中有什么方法可以像预期的部分一样形成结果吗?
您可以使用下一个查询来实现:
datatable(user:string, dt:datetime,page: string, value:int)
[
'chmod', datetime(2019-07-15), "page1", 1,
'ls', datetime(2019-07-02), "page2", 2,
'dir', datetime(2019-07-22), "page3", 3,
'mkdir', datetime(2019-07-14), "page4", 4,
'rm', datetime(2019-07-27), "page5", 5,
'pwd', datetime(2019-07-25), "page6", 6,
'rm', datetime(2019-07-23), "page7", 7,
'pwd', datetime(2019-07-25), "page8", 8,
]
| summarize commands_details = make_list(pack('page', page, "value", value)) by user, dt
| project result = pack('user', user, 'data', pack('dt', dt, 'data', commands_details))
一个结果('pwd'):
{
"user": "pwd",
"data": {
"dt": "2019-07-25T00:00:00Z",
"data": [
{
"page": "page6",
"value": 6
},
{
"page": "page8",
"value": 8
}
]
}
}
例子 在下面的示例中,我们需要汇总用户日志。
datatable(user:string, dt:datetime,page: string, value:int)
[
'chmod', datetime(2019-07-15), "page1", 1,
'ls', datetime(2019-07-02), "page2", 2,
'dir', datetime(2019-07-22), "page3", 3,
'mkdir', datetime(2019-07-14), "page4", 4,
'rm', datetime(2019-07-27), "page5", 5,
'pwd', datetime(2019-07-25), "page6", 6,
'rm', datetime(2019-07-23), "page7", 7,
'pwd', datetime(2019-07-25), "page8", 8,
]
| summarize commands_details = make_list(pack('dt', dt, 'page', page, "value", value)) by user
结果 最后一个示例查询中的结果将类似于
"user": pwd,
"commands_details": [
{
"dt": "2019-07-25T00:00:00.0000000Z",
"page": "page6",
"value": 6
},
{
"dt": "2019-07-25T00:00:00.0000000Z",
"page": "page8",
"value": 8
}
],
预期结果 但我需要如下结果
"user": pwd,
"commands_details": [
{
"dt": "2019-07-25T00:00:00.0000000Z",
"data":[
{"page": "page6", "value": 6},
{"page": "page8", "value": 8}
]
}
],
问题 Kusto 中有什么方法可以像预期的部分一样形成结果吗?
您可以使用下一个查询来实现:
datatable(user:string, dt:datetime,page: string, value:int)
[
'chmod', datetime(2019-07-15), "page1", 1,
'ls', datetime(2019-07-02), "page2", 2,
'dir', datetime(2019-07-22), "page3", 3,
'mkdir', datetime(2019-07-14), "page4", 4,
'rm', datetime(2019-07-27), "page5", 5,
'pwd', datetime(2019-07-25), "page6", 6,
'rm', datetime(2019-07-23), "page7", 7,
'pwd', datetime(2019-07-25), "page8", 8,
]
| summarize commands_details = make_list(pack('page', page, "value", value)) by user, dt
| project result = pack('user', user, 'data', pack('dt', dt, 'data', commands_details))
一个结果('pwd'):
{
"user": "pwd",
"data": {
"dt": "2019-07-25T00:00:00Z",
"data": [
{
"page": "page6",
"value": 6
},
{
"page": "page8",
"value": 8
}
]
}
}