0

我正在尝试查询日志分析 Perf 表。此表包含有关计算机的性能计数器。

我想在一行中获取机器的所有性能计数器。

我已经编写了这个 Kusto 查询,但它会将每个计数器都放在他自己的行中。

Perf  
| where Computer in ('aks-nodepool1-85388480-3', 'aks-agentpool-40719753-2') 
| summarize arg_max(TimeGenerated, *) by CounterName, Computer
| project   Computer, CounterName, TimeGenerated, CounterValue

我想要一个可以带来以下结果的查询:

(Computer1, TimeGenerated, CounterName1, CounterName1Value, CounterName2, CounterName2Value, ...)

(计算机 2、时间生成、计数器名称 1、计数器名称 1 值、计数器名称 2、计数器名称 2 值,...)

(Computer3, TimeGenerated, CounterName1, CounterName1Value, CounterName2, CounterName2Value, ...)

任何帮助或建议将不胜感激。

4

1 回答 1

2

这样的事情怎么样?(它的输出模式与您最初在问题中提到的输出模式略有不同)

datatable(Computer:string, CounterName:string, CounterValue:double, TimeGenerated:datetime)
[
    "comp1", "counter1", 1.0, datetime(2019-02-07 16:31:15),
    "comp2", "counter1", 1.1, datetime(2019-02-07 16:31:15),
    "comp3", "counter1", 1.2, datetime(2019-02-07 16:31:15),
    "comp4", "counter1", 1.3, datetime(2019-02-07 16:31:16),
    "comp2", "counter2", 1.4, datetime(2019-02-07 16:31:16),
    "comp3", "counter3", 1.5, datetime(2019-02-07 16:31:16),
    "comp4", "counter2", 1.6, datetime(2019-02-07 16:31:14),
]
| summarize TimeGenerated = any(TimeGenerated), d = make_dictionary(pack(CounterName, CounterValue)) by Computer
| evaluate bag_unpack(d)

将输出:

| Computer | TimeGenerated               | counter1 | counter2 | counter3 |
|----------|-----------------------------|----------|----------|----------|
| comp1    | 2019-02-07 16:31:15.0000000 | 1        |          |          |
| comp2    | 2019-02-07 16:31:15.0000000 | 1.1      | 1.4      |          |
| comp3    | 2019-02-07 16:31:15.0000000 | 1.2      |          | 1.5      |
| comp4    | 2019-02-07 16:31:16.0000000 | 1.3      | 1.6      |          |

你也可以这样做:

datatable(Computer:string, CounterName:string, CounterValue:double, TimeGenerated:datetime)
[
    "comp1", "counter1", 1.0, datetime(2019-02-07 16:31:15),
    "comp2", "counter1", 1.1, datetime(2019-02-07 16:31:15),
    "comp3", "counter1", 1.2, datetime(2019-02-07 16:31:15),
    "comp4", "counter1", 1.3, datetime(2019-02-07 16:31:16),
    "comp2", "counter2", 1.4, datetime(2019-02-07 16:31:16),
    "comp3", "counter3", 1.5, datetime(2019-02-07 16:31:16),
    "comp4", "counter2", 1.6, datetime(2019-02-07 16:31:14),
]
| summarize arg_max(TimeGenerated, *) by Computer, CounterName
| summarize d = make_dictionary(pack(CounterName, CounterValue, "TimeGenerated", TimeGenerated)) by Computer
| evaluate bag_unpack(d)

这将输出:

| Computer | TimeGenerated               | counter1 | counter2 | counter3 |
|----------|-----------------------------|----------|----------|----------|
| comp1    | 2019-02-07 16:31:15.0000000 | 1        |          |          |
| comp2    | 2019-02-07 16:31:15.0000000 | 1.1      | 1.4      |          |
| comp3    | 2019-02-07 16:31:15.0000000 | 1.2      |          | 1.5      |
| comp4    | 2019-02-07 16:31:16.0000000 | 1.3      | 1.6      |          |
于 2019-02-07T16:36:17.250 回答