问题描述
我正在尝试在Azure Log Analytics中合并多个表。每个表都有一个唯一列和一个公共列。将它们与Join()合并效率不高,因为我一次只能创建两个表。 Union()似乎是正确的函数,但是当我合并表时,在公共列中以重复的行结束。
示例:
// cpu usage
let cpu_table=VPN_Metrics_CL | extend timestamp = (todatetime(ts_s)+7h)
| where metric_s == "system/cpmcpuTotal1Min.rrd"
| extend region = substring(host_s,4)
| summarize maxcpu = max(val_d) by region
| extend score_cpu = case(maxcpu <= 59,maxcpu <= 79,1,3)
| project score_cpu,region;
// Memory usage
let Memory_table=VPN_Metrics_CL| extend timestamp = todatetime(ts_s)+7h
| where metric_s in ("hw_mem_used_pct") and val_d >= 0 and host_s contains "vpn"
| extend region = substring(host_s,4)
| summarize maxMemory = max(val_d) by region
| extend score_mem = case(maxMemory <= 59,maxMemory <= 79,3)
| project score_mem,region;
union cpu_table,Memory_table
我计划总共拥有10张以上的桌子。
这是结果:
score_mem | score_cpu | region
0 USA
0 USA
etc. etc.
如何基于键合并行?关键是区域。
谢谢
解决方法
如果源是同一张表,则最有效的方法是使用条件聚合:
let isCpuMetric = (metric_s:string) {metric_s == "system/cpmCPUTotal1Min.rrd"};
let isMemoryMetric = (metric_s:string,val_d:double,host_s:string) {metric_s in ("hw_mem_used_pct") and val_d >= 0 and host_s contains "vpn"};
VPN_Metrics_CL
| extend timestamp = (todatetime(ts_s)+7h)
| extend region = substring(host_s,4)
| where isCpuMetric(metric_s) or isMemoryMetric(metric_s,val_d,host_s)
| summarize maxCPU = maxif(val_d,isCpuMetric(metric_s)),maxMemory=maxif(val_d,isMemoryMetric(metric_s,host_s)) by region
| extend score_mem = case(maxMemory <= 59,maxMemory <= 79,1,3),score_CPU = case(maxCPU <= 59,maxCPU <= 79,3)
如果来源不同-您仍然可以加入或查找运算符。如果您有结果R1 .. RN-来自子查询:
R1
| lookup R2 on Region
| lookup R3 on Region
...
查找运算符的文档:https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/lookupoperator
,我发现为每个类别的分数列赋予相同的名称更加容易:“得分” 然后使用Union,我合并所有表格并汇总总分。
union CPU_table,Memory_table,AAA_table,bw_data,more_tables.....
| summarize score_total = sum(score) by region,bin(timestamp,$__interval)
| project score_total,region,timestamp