1

我正在使用此查询在工作簿中显示我想要的内容,但我希望将各个图块的值分别设置为非常高、高、中等。但是当我编写此查询并在可视化中打开图块时,它不会给出me 选项为磁贴设置中的每个变量创建磁贴。我能做些什么来实现这一目标?

InALogs_CL
| summarize VeryHigh=count(risk_level_s=="very-high" or risk_assessment_risk_level_s=="very-high"), High=count(risk_level_s=="high" or risk_assessment_risk_level_s=="high"), Medium=count(risk_level_s=="medium" or risk_assessment_risk_level_s=="medium"), Low=count(risk_level_s=="low" or risk_assessment_risk_level_s=="low"), VeryLow=count(risk_level_s=="very-low" or risk_assessment_risk_level_s=="very-low"), None=count(risk_level_s=="none" or risk_assessment_risk_level_s=="none")
4

2 回答 2

0

查询的每一行结果都将成为一个磁贴。所以如果你想要每个严重性的瓷砖,你会想做更多类似的事情

| extend severity = case( 
    risk_level_s=="very-high" or risk_assessment_risk_level_s=="very-high". "Very High",
    risk_level_s=="high" or risk_assessment_risk_level_s=="high","High",
    risk_level_s=="medium" or risk_assessment_risk_level_s=="medium", "Medium", 
    risk_level_s=="low" or risk_assessment_risk_level_s=="low", "Low", 
    risk_level_s=="very-low" or risk_assessment_risk_level_s=="very-low", "Very Low" 
    risk_level_s=="none" or risk_assessment_risk_level_s=="none", "None",
    "unknown")
| summarize count() by severity

最终会得到类似的结果

严重性 数数_
很高 1
低的 1
未知 27

然后,您可以使用图块中的“阈值”渲染器将特定图标分配给作为图块的标题字段的严重性,并使用图块左侧部分的“大数字”渲染器。

对于没有任何匹配行的严重性,您将没有图块。

如果您需要所有图块,甚至是 0,您可以使用具有 0 的各个行的数据表进行反连接,或者您可以保留类似于原始查询的内容(尽管我认为count您上面的项目应该是countif?),并在末尾添加一个| evaluate narrow()

不过,并非所有数据源都支持evaluate运算符(如 Azure Resource Graph 查询不支持)。

=~如果值有可能在其他情况下出现,您可能还想在所有这些比较中使用,现在,您会得到“未知”的风险级别值是“高”或“高”,因为这是只寻找所有小写“高”

于 2021-10-07T16:30:55.690 回答
0

我得到了答案,我必须使用数据表将这些值转换为单独的表,以便可以在磁贴设置中检测到每个严重性类别。

datatable (Count: long, status: string) [0, "Very High", 0, "High", 0, "Medium", 0, "Low", 0, "Very Low", 0, "None"]
| union
    (
    InALogs_CL
    | extend status = case(    
        risk_level_s == "very-high" or risk_assessment_risk_level_s
 == "very-high", "Very High",
        risk_level_s == "high" or risk_assessment_risk_level_s
 == "high", "High",
        risk_level_s == "medium" or risk_assessment_risk_level_s
 == "medium", "Medium",
        risk_level_s == "low" or risk_assessment_risk_level_s
 == "low", "Low",
        risk_level_s == "very-low" or risk_assessment_risk_level_s
 == "very-low", "Very Low",
        risk_level_s == "none" or risk_assessment_risk_level_s
 == "none", "None",       
        "True"
        )
    | where status != "True"
    | summarize Count = count() by status
    )
| summarize Count=sum(Count) by status
于 2021-10-08T04:11:31.283 回答