我有
Sessions
桌子
Sessions
|Timespan|Name |No|
|12:00:00|Start|1 |
|12:01:00|End |2 |
|12:02:00|Start|3 |
|12:04:00|Start|4 |
|12:04:30|Error|5 |
我需要使用 KQL 从中提取每个会话的持续时间(但是如果您能给我建议如何使用其他查询语言来做到这一点,那也会非常有帮助)。但如果
start
之后的下一行也是 start
,则意味着会话被放弃,我们应该忽略它。
预期结果:
|Duration|SessionNo|
|00:01:00| 1 |
|00:00:30| 4 |
你可以尝试这样的事情:
Sessions
| order by No asc
| extend nextName = next(Name), nextTimestamp = next(timestamp)
| where Name == "Start" and nextName != "Start"
| project Duration = nextTimestamp - timestamp, No
使用运算符
order by
时,您将获得 序列化行集,然后您可以使用 next
和 prev
等运算符。基本上你正在寻找带有 No == "Start"
和 next(Name) == "End"
的行,所以这就是我所做的,
您可以在 Kusto Samples 开放数据库中找到此查询正在运行。
let Sessions = datatable(Timestamp: datetime, Name: string, No: long) [
datetime(12:00:00),"Start",1,
datetime(12:01:00),"End",2,
datetime(12:02:00),"Start",3,
datetime(12:04:00),"Start",4,
datetime(12:04:30),"Error",5
];
Sessions
| order by No asc
| extend Duration = iff(Name != "Start" and prev(Name) == "Start", Timestamp - prev(Timestamp), timespan(null)), SessionNo = prev(No)
| where isnotnull(Duration)
| project Duration, SessionNo