使用 KQL (Kusto) 选择行时遇到问题
Having trouble selecting rows using KQL (Kusto)
我正在尝试 select 基于时间戳的行。在下面的示例数据中,某些列包含重复的计算机名称。我对具有最新时间戳的行感兴趣。
+------------------------+----------+---------+------------+
| TIMEST AMP | COMPUTER | VERSION | MORE COLS. |
+------------------------+----------+---------+------------+
| 2019-10-02 10:32:40 | COMPA | 1234 | ... |
+------------------------+----------+---------+------------+
| 2019-09-12 11:15 23 | COMPA | 1235 | ... |
+------------------------+----------+---------+------------+
| 2019-11-13 15:23:25 | COMPA | 1234 | ... |
+------------------------+----------+---------+------------+
| 2019-10-02 10:32:40 | COMPB | 1234 | ... |
+------------------------+----------+---------+------------+
| 2019-09-13 11:15 23 | COMPC | 1235 | ... |
+------------------------+----------+---------+------------+
| 2019-11-13 15:23:25 | COMPC | 1235 | ... |
+------------------------+----------+---------+------------+
应返回以下结果
+------------------------+----------+---------+------------+
| TIMEST AMP | COMPUTER | VERSION | MORE COLS. |
+------------------------+----------+---------+------------+
| 2019-11-13 15:23:25 | COMPA | 1234 | ... |
+------------------------+----------+---------+------------+
| 2019-10-02 10:32:40 | COMPB | 1234 | ... |
+------------------------+----------+---------+------------+
| 2019-11-13 15:23:25 | COMPC | 1235 | ... |
+------------------------+----------+---------+------------+
看起来嵌套查询应该有效。我找到了一个例子,但我不确定如何让它与这些数据一起工作
样本
dependencies
| where resultCode == toscalar(
dependencies
| where resultId == 7
| top 1 by timestamp desc
| project resultCode)
您可以尝试使用 summarize arg_max() (doc):
datatable(timestamp:datetime, computer:string, version:int)
[
datetime(2019-10-02 10:32:40), 'COMPA', 1234,
datetime(2019-09-12 11:15:23), 'COMPA', 1235,
datetime(2019-11-13 15:23:25), 'COMPA', 1234,
datetime(2019-10-02 10:32:40), 'COMPB', 1234,
datetime(2019-09-13 11:15:23), 'COMPC', 1235,
datetime(2019-11-13 15:23:25), 'COMPC', 1235,
]
| summarize arg_max(timestamp, *) by computer
-->
| computer | timestamp | version |
|----------|-----------------------------|---------|
| COMPA | 2019-11-13 15:23:25.0000000 | 1234 |
| COMPB | 2019-10-02 10:32:40.0000000 | 1234 |
| COMPC | 2019-11-13 15:23:25.0000000 | 1235 |
我正在尝试 select 基于时间戳的行。在下面的示例数据中,某些列包含重复的计算机名称。我对具有最新时间戳的行感兴趣。
+------------------------+----------+---------+------------+
| TIMEST AMP | COMPUTER | VERSION | MORE COLS. |
+------------------------+----------+---------+------------+
| 2019-10-02 10:32:40 | COMPA | 1234 | ... |
+------------------------+----------+---------+------------+
| 2019-09-12 11:15 23 | COMPA | 1235 | ... |
+------------------------+----------+---------+------------+
| 2019-11-13 15:23:25 | COMPA | 1234 | ... |
+------------------------+----------+---------+------------+
| 2019-10-02 10:32:40 | COMPB | 1234 | ... |
+------------------------+----------+---------+------------+
| 2019-09-13 11:15 23 | COMPC | 1235 | ... |
+------------------------+----------+---------+------------+
| 2019-11-13 15:23:25 | COMPC | 1235 | ... |
+------------------------+----------+---------+------------+
应返回以下结果
+------------------------+----------+---------+------------+
| TIMEST AMP | COMPUTER | VERSION | MORE COLS. |
+------------------------+----------+---------+------------+
| 2019-11-13 15:23:25 | COMPA | 1234 | ... |
+------------------------+----------+---------+------------+
| 2019-10-02 10:32:40 | COMPB | 1234 | ... |
+------------------------+----------+---------+------------+
| 2019-11-13 15:23:25 | COMPC | 1235 | ... |
+------------------------+----------+---------+------------+
看起来嵌套查询应该有效。我找到了一个例子,但我不确定如何让它与这些数据一起工作
样本
dependencies
| where resultCode == toscalar(
dependencies
| where resultId == 7
| top 1 by timestamp desc
| project resultCode)
您可以尝试使用 summarize arg_max() (doc):
datatable(timestamp:datetime, computer:string, version:int)
[
datetime(2019-10-02 10:32:40), 'COMPA', 1234,
datetime(2019-09-12 11:15:23), 'COMPA', 1235,
datetime(2019-11-13 15:23:25), 'COMPA', 1234,
datetime(2019-10-02 10:32:40), 'COMPB', 1234,
datetime(2019-09-13 11:15:23), 'COMPC', 1235,
datetime(2019-11-13 15:23:25), 'COMPC', 1235,
]
| summarize arg_max(timestamp, *) by computer
-->
| computer | timestamp | version |
|----------|-----------------------------|---------|
| COMPA | 2019-11-13 15:23:25.0000000 | 1234 |
| COMPB | 2019-10-02 10:32:40.0000000 | 1234 |
| COMPC | 2019-11-13 15:23:25.0000000 | 1235 |