目标我必须查询表 1 并加入表 2 条目。
注意:- 表 2 中的事件发生在表 1 之前,所以我想确保当我查询表 2 时 startTime 小于 1 天或几个小时。
但是似乎我无法传递时间上下文。我尝试了几种方法,但都失败了。
let minTime = customEvents | summarize min(timestamp) by appId | project min_timestamp;
let startTime = toscalar(minTime);
customEvents
| where timestamp <= todatetime(startTime)
| take 10 ;
例如,上面的查询只返回表中的第一个条目。
您可以尝试以下方法:
let customEvents = datatable(appId: string, timestamp:datetime, message:string)
[
"A", datetime(2019-03-08 16:14:50), "Hello from 'A'",
"A", datetime(2019-03-08 15:14:50), "Hello from 'A'",
"A", datetime(2019-03-08 14:14:50), "Hello from 'A'",
"A", datetime(2019-03-08 13:14:50), "Hello from 'A'",
"B", datetime(2019-03-08 12:14:50), "Hello from 'B'",
"B", datetime(2019-03-08 11:14:50), "Hello from 'B'",
"D", datetime(2019-03-08 10:14:50), "Hello from 'D'",
"C", datetime(2019-03-08 09:14:50), "Hello from 'C'",
"D", datetime(2019-03-08 08:14:50), "Hello from 'D'",
"C", datetime(2019-03-08 07:14:50), "Hello from 'C'",
]
;
let minTimeByAppId = toscalar(
customEvents
| summarize min(timestamp) by appId
| summarize make_bag(pack(appId, min_timestamp)))
;
let otherTable = datatable(appId:string, timestamp:datetime, otherMessage:string)
[
"A", datetime(2019-03-08 16:14:50), "Another hello from 'A'",
"A", datetime(2019-03-07 16:14:50), "Another hello from 'A'",
"B", datetime(2019-03-07 16:14:50), "Another hello from 'B'",
"B", datetime(2019-03-08 16:14:50), "Another hello from 'B'",
"C", datetime(2019-03-08 16:14:50), "Another hello from 'C'",
"C", datetime(2019-03-08 16:14:50), "Another hello from 'C'",
"D", datetime(2019-03-09 16:14:50), "Another hello from 'D'",
"D", datetime(2019-03-08 16:14:50), "Another hello from 'D'",
]
;
otherTable
| where timestamp < minTimeByAppId[appId] // you could also add some 'delta' here
这将输出:
| appId | timestamp | otherMessage |
|-------|-----------------------------|------------------------|
| A | 2019-03-07 16:14:50.0000000 | Another hello from 'A' |
| B | 2019-03-07 16:14:50.0000000 | Another hello from 'B' |