在 kql 中,如何将 `make-series` 转换为 table?
In kql, how can I convert `make-series` in to table?
下面查询returns我需要的数据:
let timeSpn = bin(ago(60m),1m);
requests
| where cloud_RoleName == "myApp"
| where success == "False"
| where timestamp > timeSpn
| make-series count() on timestamp from timeSpn to now() step 1m by application_Version
问题是结果由 2 行组成(每行一行 application_Version 而不是 120 行(每分钟和每个版本一行)。
我必须使用 make-series 而不是简单的 summarize 因为我需要“零”值。
您可以使用 mv-expand operator
这是来自 Back-fill Missing Dates With Zeros in a Time Chart 的示例:
let start=floor(ago(3d), 1d);
let end=floor(now(), 1d);
let interval=5m;
requests
| where timestamp > start
| make-series counter=count() default=0
on timestamp in range(start, end, interval)
| mvexpand timestamp, counter
| project todatetime(timestamp), toint(counter)
| render timechart
下面查询returns我需要的数据:
let timeSpn = bin(ago(60m),1m);
requests
| where cloud_RoleName == "myApp"
| where success == "False"
| where timestamp > timeSpn
| make-series count() on timestamp from timeSpn to now() step 1m by application_Version
问题是结果由 2 行组成(每行一行 application_Version 而不是 120 行(每分钟和每个版本一行)。
我必须使用 make-series 而不是简单的 summarize 因为我需要“零”值。
您可以使用 mv-expand operator
这是来自 Back-fill Missing Dates With Zeros in a Time Chart 的示例:
let start=floor(ago(3d), 1d); let end=floor(now(), 1d); let interval=5m; requests | where timestamp > start | make-series counter=count() default=0 on timestamp in range(start, end, interval) | mvexpand timestamp, counter | project todatetime(timestamp), toint(counter) | render timechart