Kusto - Avgif、最小值、最大值和中位数

【问题标题】:Kusto - Avgif, Min , Max and MedianKusto - Avgif、最小值、最大值和中位数
【发布时间】:2021-11-30 05:26:48
【问题描述】:

我正在将以下 Splunk 查询转换为 Kusto avg(eval(if(Test="Success", Duration, null()))) as AvgDuration

如果测试成功,则此查询将返回持续时间的平均值,否则返回空值。如果下面的 Kusto 查询将返回与我没有看到匹配的数字相同的结果,请您提出建议

| summarize AvgDuration = avgif (Duration, Test = "Success")

我如何在相同条件下计算最小值、最大值和中值。谢谢。

【问题讨论】:

    标签: azure-data-explorer kql kusto-explorer


    【解决方案1】:

    对于最小值和最大值,您可以:

        let T = datatable(Test:string, Duration:timespan)["Success", timespan(05:03:01.78),"Success", timespan(15:00:06.28),"Success", timespan(02:03:05.98),"Fail", timespan(00:03:01.28)];            
    T 
    | summarize AvgDuration = avgif (Duration, Test == "Success"), 
                MinDuration = minif (Duration, Test == "Success"), 
                MaxDuration = maxif (Duration, Test == "Success")
    AvgDuration MinDuration MaxDuration
    07:22:04.6800000 02:03:05.9800000 15:00:06.2800000

    percentile() 聚合函数没有“if”版本,因此您需要对其进行单独计算。最简单的方法是在聚合之前进行过滤,例如:

        let T = datatable(Test:string, Duration:timespan)["Success", timespan(05:03:01.78),"Success", timespan(15:00:06.28),"Success", timespan(02:03:05.98),"Fail", timespan(00:03:01.28)];
    T
    | where Test == "Success"
    | summarize AvgDuration = avg(Duration), 
                MinDuration = min(Duration), 
                MaxDuration = max(Duration),
                Median = percentile(Duration, 50)
    AvgDuration MinDuration MaxDuration Median
    07:22:04.6800000 02:03:05.9800000 15:00:06.2800000 05:03:01.7800000

    但是,有时您希望在聚合包含条件的同时聚合完整数据集。如果是这种情况,您将需要运行两个查询并加入它们。例如,假设您要包含完整计数:

        let T = datatable(Test:string, Duration:timespan)["Success", timespan(05:03:01.78),"Success", timespan(15:00:06.28),"Success", timespan(02:03:05.98),"Fail", timespan(00:03:01.28)];
    let T1 = T 
        | summarize AvgDuration = avgif (Duration, Test == "Success"), 
                    MinDuration = minif (Duration, Test == "Success"), 
                    MaxDuration = maxif (Duration, Test == "Success"),
                    TotalCount  = count()
                | extend Dummy = 1;
    let T2 = T 
        | where Test == "Success"
        | summarize Median = percentile(Duration, 50) 
        | extend Dummy = 1;
    T1 
    | lookup T2 on Dummy
    | project-away Dummy
    AvgDuration MinDuration MaxDuration TotalCount Median
    07:22:04.6800000 02:03:05.9800000 15:00:06.2800000 4 05:03:01.7800000

    如果聚合前有繁重的处理,可以考虑在T的计算周围使用materialize()函数。

    【讨论】:

    • 完美。答案很有帮助。谢谢
    猜你喜欢
    • 1970-01-01
    • 2013-06-27
    • 2023-04-02
    • 1970-01-01
    • 2018-07-17
    • 1970-01-01
    • 2013-09-02
    • 2012-11-20
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode