我有两个 Rawdata 事件,其中一个是具有一个时间戳的请求,另一个是具有不同时间跨度的响应,是否有一个 kusto 函数可以从 rawdata 中提取这两个日期并在两者之间进行时间差
问问题
4788 次
2 回答
1
就在这里。在不查看输入数据样本的情况下为您提供最佳选择有点具有挑战性,但您可能需要查看parse运算符:https ://docs.microsoft.com/en-us/azure/kusto/query/parseoperator ,或extract()功能:https : //docs.microsoft.com/en-us/azure/kusto/query/extractfunction
或者,在您的问题中包含一个示例输入,如下所示:
print request = "this<>is!!!my-request from 2019-08-14 17:54:36.8892211, the end",
response = "this is the matching 2019-08-14 17:55:36.0000033 response"
| parse request with * "from " request_datetime:datetime "," *
| parse response with * "matching " response_datetime:datetime " response"
| project diff = response_datetime - request_datetime
// this returns a single table with a single column named 'diff', whose value is '00:00:59.1107822'
或者
datatable(event_text:string, correlation_id:long) [
"this<>is!!!my-request from 2019-08-14 17:54:36.8892211, the end", 1,
"this is the matching 2019-08-14 17:55:36.0000033 response", 1,
]
| extend dt = extract(@"(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d{7})", 1, event_text, typeof(datetime))
| summarize diff = max(dt) - min(dt) by correlation_id
// this returns a single table with 2 columns named 'correlation_id' and 'diff', whose values are are '1' and '00:00:59.1107822'
于 2019-08-14T14:49:21.493 回答
0
Yoni 的回答向您展示了如何提取时间戳。拥有它们后,您就可以使用该datetime_diff功能。假设您想知道 2 个时间戳之间有多少秒的差异:
| extend TimeDiff = datetime_diff('second', SigninTime, EventTime)
您可以使用此信息进行过滤。假设您只想保留这些时间戳彼此在 20 秒内的行:
| filter TimeDiff < 20
https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/datetime-difffunction
于 2021-03-01T17:53:41.380 回答