KQL,同一table中不同行之间的时间差
KQL, time difference between separate rows in same table
我有Sessionstable
Sessions
|Timespan|Name |No|
|12:00:00|Start|1 |
|12:01:00|End |2 |
|12:02:00|Start|3 |
|12:04:00|Start|4 |
|12:04:30|Error|5 |
我需要使用 KQL 从中提取每个会话的持续时间(但如果你能给我建议我如何使用其他查询语言来完成它,那也会非常有帮助)。但是,如果start之后的下一行也是start,则表示会话已被放弃,我们应该忽略它。
预期结果:
|Duration|SessionNo|
|00:01:00| 1 |
|00:00:30| 4 |
您可以尝试这样的操作:
Sessions
| order by No asc
| extend nextName = next(Name), nextTimestamp = next(timestamp)
| where Name == "Start" and nextName != "Start"
| project Duration = nextTimestamp - timestamp, No
使用运算符 order by 时,您将得到 Serialized row set, which then you can use operators such as next and prev。基本上你正在寻找 No == "Start" 和 next(Name) == "End" 的行,所以这就是我所做的,
您可以在 Kusto Samples open database 找到此查询 运行。
let Sessions = datatable(Timestamp: datetime, Name: string, No: long) [
datetime(12:00:00),"Start",1,
datetime(12:01:00),"End",2,
datetime(12:02:00),"Start",3,
datetime(12:04:00),"Start",4,
datetime(12:04:30),"Error",5
];
Sessions
| order by No asc
| extend Duration = iff(Name != "Start" and prev(Name) == "Start", Timestamp - prev(Timestamp), timespan(null)), SessionNo = prev(No)
| where isnotnull(Duration)
| project Duration, SessionNo
我有Sessionstable
Sessions
|Timespan|Name |No|
|12:00:00|Start|1 |
|12:01:00|End |2 |
|12:02:00|Start|3 |
|12:04:00|Start|4 |
|12:04:30|Error|5 |
我需要使用 KQL 从中提取每个会话的持续时间(但如果你能给我建议我如何使用其他查询语言来完成它,那也会非常有帮助)。但是,如果start之后的下一行也是start,则表示会话已被放弃,我们应该忽略它。
预期结果:
|Duration|SessionNo|
|00:01:00| 1 |
|00:00:30| 4 |
您可以尝试这样的操作:
Sessions
| order by No asc
| extend nextName = next(Name), nextTimestamp = next(timestamp)
| where Name == "Start" and nextName != "Start"
| project Duration = nextTimestamp - timestamp, No
使用运算符 order by 时,您将得到 Serialized row set, which then you can use operators such as next and prev。基本上你正在寻找 No == "Start" 和 next(Name) == "End" 的行,所以这就是我所做的,
您可以在 Kusto Samples open database 找到此查询 运行。
let Sessions = datatable(Timestamp: datetime, Name: string, No: long) [
datetime(12:00:00),"Start",1,
datetime(12:01:00),"End",2,
datetime(12:02:00),"Start",3,
datetime(12:04:00),"Start",4,
datetime(12:04:30),"Error",5
];
Sessions
| order by No asc
| extend Duration = iff(Name != "Start" and prev(Name) == "Start", Timestamp - prev(Timestamp), timespan(null)), SessionNo = prev(No)
| where isnotnull(Duration)
| project Duration, SessionNo