0

我正在研究 Splunk 到 Kusto Dashboard 的转换。您能否告诉我如何将以下 Splunk 查询转换为 Kusto

我理解了结果的过滤器,但我被困在用 max(_time) 作为 time by jobid | 总结的地方。排序时间

| stats count(eval(result=="failed")) as failed count(eval(result=="succeess" OR result=="progress")) as succeeded max(_time) as time by jobid | sort -time

4

1 回答 1

1

应该是这样的:

| summarize failed = countif(result=="failed"), 
            succeeded = countif(result=="succeess" or result=="progress"),
            ['time'] = max(_time) by jobid 
| sort by ['time'] desc
于 2021-11-16T08:39:54.947 回答