1

我是 Kusto 查询语言的新手。要求是在机器状态的连续 15 分钟值为 1 时发出警报。我有两列,列 1:(每秒时间戳)和列 2:机器状态(值 1 和 0)。如何使用滑动窗口查找如果机器为 1 连续 15 分钟。目前我已经使用了 bin 功能,但它似乎不是正确的。 summarize avg_value = avg(status) by customer, machine,bin(timestamp,15m) 什么可能是更好的解决方案。

提前致谢

4

2 回答 2

1

这是使用时间序列函数的另一个选项:

let dt = 1s;
let n_bins = tolong(15m/dt);
let coeffs = repeat(1, n_bins);
let T = view(M:string) {
    range Timestamp from datetime(2022-01-11) to datetime(2022-01-11 01:00) step dt
    | extend machine = M
    | extend status = iif(rand()<0.002, 0, 1)
};
union T("A"), T("B")
| make-series status=any(status) on Timestamp step dt by machine
| extend rolling_status = series_fir(status, coeffs, false)
| extend alerts = series_equals(rolling_status, n_bins)
| project machine, Timestamp, alerts
| mv-expand Timestamp to typeof(datetime), alerts to typeof(bool)
| where alerts == 1

您也可以使用扫描运算符来执行此操作。

谢谢阿迪

于 2022-01-11T15:53:30.903 回答
0

这是一种方法,该示例使用生成的数据,希望它适合您的场景:

let view = range x from datetime(2022-01-10 13:00:10) to datetime(2022-01-10 13:10:10) step 1s
| extend status = iif(rand()<0.01, 0, 1)
| extend current_sum = row_cumsum(status)
| extend prior_sum = prev(current_sum, 15)
| extend should_alert = (current_sum-prior_sum != 15 and isnotempty(prior_sum))

如果有多台机器需要先按机器排序,然后重启row_cumsum操作:

let T = view(M:string) {
    range Timestamp from datetime(2022-01-10 13:00:10) to datetime(2022-01-10 13:10:10) step 1s
    | extend machine = M
    | extend status = iif(rand()<0.01, 0, 1)
};
union T("A"), T("B")
| sort by machine asc, Timestamp asc 
| extend current_sum = row_cumsum(status, machine != prev(machine))
| extend prior_sum = iif(machine == prev(machine, 15),  prev(current_sum, 15), int(null))
| extend should_alert = (current_sum-prior_sum != 15 and isnotempty(prior_sum))
于 2022-01-10T21:00:55.000 回答