Kusto/KQL:按时间桶和计数(字符串)列汇总
Kusto/KQL: summarize by time bucket AND count(string) column
我有 table 个 http 响应,包括时间戳、服务名称和我想使用 KQL/Kusto 查询的 http 响应代码。
我的目标是 table 告诉我“过去 5 分钟内特定服务有多少特定类型(2xx、4xx 等)的 HTTP 响应”
我想按 5 分钟的时间段 和 ResponseType(基本上是响应代码 class)总结行 - 但我似乎无法让它工作。当我将 count(ResponseType) 添加到摘要子句时,它 returns 错误消息 Function 'count' cannot be invoked in current context.
我的 KQL 是这样的
InsightsMetrics
| extend Tags = parse_json(Tags)
| extend Responsecode = tostring(Tags.["code"])
| extend ResponseType = strcat(substring(Responsecode, 0, 1), "XX")
| extend Service = tostring(Tags.["service"])
| where TimeGenerated >= now(-4h)
| where Namespace == "prometheus"
| where Name contains "traefik_service_requests_total"
| project TimeGenerated, Responsecode, Service, ResponseType
| summarize by bin(TimeGenerated, 5m), ResponseType
其中 returns 个数据是这样的:
| TimeGenerated | ResponseType | Service |
|---------------------|--------------|----------------------------------------------------------|
| 2020-10-01 10:25:00 | 3XX | prod-service-internal-50f0bab542c7d81ed22e@kubernetescrd |
| 2020-10-01 10:30:00 | 2XX | prod-service-internal-50f0bab542c7d81ed22e@kubernetescrd |
| 2020-10-01 10:30:00 | 2XX | prod-service-internal-50f0bab542c7d81ed22e@kubernetescrd |
| 2020-10-01 10:30:00 | 4XX | prod-service-internal-50f0bab542c7d81ed22e@kubernetescrd |
当我想要这样的东西时
| TimeGenerated | ResponseType | count(ResponseType) | Service |
|---------------------|--------------|---------------------|----------------------------------------------------------|
| 2020-10-01 10:25:00 | 3XX | 1 | prod-service-internal-50f0bab542c7d81ed22e@kubernetescrd |
| 2020-10-01 10:30:00 | 2XX | 2 | prod-service-internal-50f0bab542c7d81ed22e@kubernetescrd |
| 2020-10-01 10:30:00 | 4XX | 1 | prod-service-internal-50f0bab542c7d81ed22e@kubernetescrd |
您只需更换
| summarize by bin(TimeGenerated, 5m), ResponseType
和
| summarize count() by bin(TimeGenerated, 5m), ResponseType, Service
我有 table 个 http 响应,包括时间戳、服务名称和我想使用 KQL/Kusto 查询的 http 响应代码。
我的目标是 table 告诉我“过去 5 分钟内特定服务有多少特定类型(2xx、4xx 等)的 HTTP 响应”
我想按 5 分钟的时间段 和 ResponseType(基本上是响应代码 class)总结行 - 但我似乎无法让它工作。当我将 count(ResponseType) 添加到摘要子句时,它 returns 错误消息 Function 'count' cannot be invoked in current context.
我的 KQL 是这样的
InsightsMetrics
| extend Tags = parse_json(Tags)
| extend Responsecode = tostring(Tags.["code"])
| extend ResponseType = strcat(substring(Responsecode, 0, 1), "XX")
| extend Service = tostring(Tags.["service"])
| where TimeGenerated >= now(-4h)
| where Namespace == "prometheus"
| where Name contains "traefik_service_requests_total"
| project TimeGenerated, Responsecode, Service, ResponseType
| summarize by bin(TimeGenerated, 5m), ResponseType
其中 returns 个数据是这样的:
| TimeGenerated | ResponseType | Service |
|---------------------|--------------|----------------------------------------------------------|
| 2020-10-01 10:25:00 | 3XX | prod-service-internal-50f0bab542c7d81ed22e@kubernetescrd |
| 2020-10-01 10:30:00 | 2XX | prod-service-internal-50f0bab542c7d81ed22e@kubernetescrd |
| 2020-10-01 10:30:00 | 2XX | prod-service-internal-50f0bab542c7d81ed22e@kubernetescrd |
| 2020-10-01 10:30:00 | 4XX | prod-service-internal-50f0bab542c7d81ed22e@kubernetescrd |
当我想要这样的东西时
| TimeGenerated | ResponseType | count(ResponseType) | Service |
|---------------------|--------------|---------------------|----------------------------------------------------------|
| 2020-10-01 10:25:00 | 3XX | 1 | prod-service-internal-50f0bab542c7d81ed22e@kubernetescrd |
| 2020-10-01 10:30:00 | 2XX | 2 | prod-service-internal-50f0bab542c7d81ed22e@kubernetescrd |
| 2020-10-01 10:30:00 | 4XX | 1 | prod-service-internal-50f0bab542c7d81ed22e@kubernetescrd |
您只需更换
| summarize by bin(TimeGenerated, 5m), ResponseType
和
| summarize count() by bin(TimeGenerated, 5m), ResponseType, Service