3

我正在执行两个事件之间的连接,如下所示。如何在最终输出中获得不同的行?

let fromdate = "2017-04-26 23:00";

let fileEvents = (Events
| where Timestamp > todatetime(fromdate) 
| project fileId, fileName, Application);

fileEvents | join (Events
    | where Timestamp > todatetime(fromdate) and Data.Size > 1024
    | project fileId) on fileId
| project fileId,Application, fileName;

查询输出

1 , Web , Agreement
1 , Web , Agreement
2 , Api , Contract
2 , Api , Contract
1 , Web , Agreement
2 , Api , Contract

我希望输出是

1 , Web , Agreement
2 , Api , Contract
4

1 回答 1

3

使用汇总运算符按所有结果列汇总:

let fromdate = "2017-04-26 23:00";

let fileEvents = (Events
| where Timestamp > todatetime(fromdate) 
| project fileId, fileName, Application);

fileEvents
| join (Events
| where Timestamp > todatetime(fromdate) and Data.Size > 1024
| project fileId) on fileId
| summarize by fileId, Application, fileName

上述内容的等价物将是:

let fromdate = "2017-04-26 23:00";
Events
| where Timestamp > todatetime(fromdate) 
| project fileId, fileName, Application
| join (
    Events
    | where Timestamp > todatetime(fromdate) and Data.Size > 1024
    | project fileId) on fileId
| summarize by fileId, Application, fileName
于 2017-04-28T22:02:49.927 回答