我正在将以下 Splunk 查询转换为 Kusto
avg(eval(if(Test="Success", Duration, null()))) as AvgDuration
如果测试成功,则此查询将返回持续时间的平均值,否则返回空值。如果下面的 Kusto 查询将返回与我没有看到匹配的数字相同的结果,请您提出建议
| summarize AvgDuration = avgif (Duration, Test = "Success")
另外我如何计算具有相同条件的最小值、最大值和中值。谢谢。
对于最小值和最大值,您可以执行以下操作:
let T = datatable(Test:string, Duration:timespan)["Success", timespan(05:03:01.78),"Success", timespan(15:00:06.28),"Success", timespan(02:03:05.98),"Fail", timespan(00:03:01.28)];
T
| summarize AvgDuration = avgif (Duration, Test == "Success"),
MinDuration = minif (Duration, Test == "Success"),
MaxDuration = maxif (Duration, Test == "Success")
| 平均持续时间 | 最小持续时间 | 最长持续时间 |
|---|---|---|
| 07:22:04.6800000 | 02:03:05.9800000 | 15:00:06.2800000 |
percentile() 聚合函数没有“if”版本,因此您需要对其进行单独计算。最简单的方法是在聚合之前进行过滤,例如:
let T = datatable(Test:string, Duration:timespan)["Success", timespan(05:03:01.78),"Success", timespan(15:00:06.28),"Success", timespan(02:03:05.98),"Fail", timespan(00:03:01.28)];
T
| where Test == "Success"
| summarize AvgDuration = avg(Duration),
MinDuration = min(Duration),
MaxDuration = max(Duration),
Median = percentile(Duration, 50)
| 平均持续时间 | 最小持续时间 | 最长持续时间 | 中位数 |
|---|---|---|---|
| 07:22:04.6800000 | 02:03:05.9800000 | 15:00:06.2800000 | 05:03:01.7800000 |
但是,有时您希望在聚合包含条件的同时聚合完整数据集。如果是这种情况,您将需要运行两个查询并加入它们。例如,假设您要包含完整计数:
let T = datatable(Test:string, Duration:timespan)["Success", timespan(05:03:01.78),"Success", timespan(15:00:06.28),"Success", timespan(02:03:05.98),"Fail", timespan(00:03:01.28)];
let T1 = T
| summarize AvgDuration = avgif (Duration, Test == "Success"),
MinDuration = minif (Duration, Test == "Success"),
MaxDuration = maxif (Duration, Test == "Success"),
TotalCount = count()
| extend Dummy = 1;
let T2 = T
| where Test == "Success"
| summarize Median = percentile(Duration, 50)
| extend Dummy = 1;
T1
| lookup T2 on Dummy
| project-away Dummy
| 平均持续时间 | 最小持续时间 | 最长持续时间 | 总数 | 中位数 |
|---|---|---|---|---|
| 07:22:04.6800000 | 02:03:05.9800000 | 15:00:06.2800000 | 4 | 05:03:01.7800000 |
如果在聚合之前有繁重的处理,您可能需要考虑使用materialize()函数来计算T.