问题描述
我正在尝试构建KUSTO查询,以验证日志是否正在进入Azure日志分析表。这是我的代码。该命令可以完美运行并提供接收到的记录数。但是问题在于,它在查询输出中不考虑接收零(无任何)日志的表名
union withsource=sourceTable kind=outer Table1,Table2,Table3
| summarize AggregatedValue=count() by bin(TimeGenerated,5m),sourceTable
预期输出:
| Table Name | Count |
----------------------
| Table1 | 5 |
| Table2 | 3 |
| Table3 | 0 | //If the count is zero,query output does not show the table name
----------------------
解决方法
您未在预期输出中为bin(TimeGenerated,5m)的列中指定值。我以为您真的不希望在那儿看到此列(否则,我不确定您希望在具有3条记录的Table3的预期输出中确切看到什么)。
要获得所需的输出,请使用以下技巧:
let DefaultResult = datatable(['Table Name']: string,Count: long) [
"Table1","Table2","Table3",0
];
union withsource=sourceTable kind=outer Table1,Table2,Table3
| summarize AggregatedValue=count() by bin(TimeGenerated,5m),sourceTable
| union DefaultResult
| summarize Count = sum(Count) by ['Table Name']
| order by ['Table Name'] asc
这可能会有所帮助:
let reCount = union withsource=sourceTable kind=outer AppServiceFileAuditLogs,AzureDiagnostics,BaiClusterEvent
| summarize AggregatedValue=count() by sourceTable;
let tableList = datatable (name:string)
[
'AppServiceFileAuditLogs','AzureDiagnostics','BaiClusterEvent'
];
tableList
| join kind=leftouter reCount on $left.name == $right.sourceTable
|project name,count = iff(isnull(AggregatedValue)==true,AggregatedValue )
这里的想法是对具有表名 (tableList) 的表表达式进行左连接,然后在 AggregatedValue 为 NULL 的地方放置 0。