Azure Kusto查询：根据时间检索最近2次运行并汇总_Azure_Azure Application Insights_Azure Data Explorer_Kql

Azure Kusto查询：根据时间检索最近2次运行并汇总

azure

Azure Kusto查询：根据时间检索最近2次运行并汇总,azure,azure-application-insights,azure-data-explorer,kql,Azure,Azure Application Insights,Azure Data Explorer,Kql,我是kusto的新手，我正在尝试检索最近2次运行数据并总结错误计数请参考下面的片段以下是表格查询，仅供参考 let Temptable=datatable(RunId:string,Message:string,AppName:string,timestamp:datetime) [ "1", "start", "App1", '2020-02-27T04:30:01.6062658Z', "1", "end", "App1", '2020-02-27T04:31:01.606

我是kusto的新手，我正在尝试检索最近2次运行数据并总结错误计数

请参考下面的片段

以下是表格查询，仅供参考

let Temptable=datatable(RunId:string,Message:string,AppName:string,timestamp:datetime) [  "1", "start",   "App1", '2020-02-27T04:30:01.6062658Z',  "1", "end",   "App1", '2020-02-27T04:31:01.6062658Z',  "2", "start",   "App1", '2020-02-27T04:00:01.6062658Z',  "2", "end",   "App1", '2020-02-27T04:01:01.6062658Z',  "3", "start",   "App1", '2020-02-27T03:30:01.6062658Z',  "3", "end",   "App1", '2020-02-27T03:31:01.6062658Z',  "4", "start",   "App1", '2020-02-27T03:00:01.6062658Z',  "4", "end",   "App1", '2020-02-27T03:01:01.6062658Z',  "5", "start",   "App1", '2020-02-27T02:30:01.6062658Z',  "5", "end",   "App1", '2020-02-27T02:31:01.6062658Z',  "6", "start",   "App2", '2020-02-27T04:00:01.6062658Z',  "6", "end",   "App2", '2020-02-27T04:01:01.6062658Z',  "7", "start",   "App2", '2020-02-27T03:00:01.6062658Z',  "7", "end",   "App2", '2020-02-27T03:01:01.6062658Z',  "8", "start",   "App2", '2020-02-27T02:00:01.6062658Z',  "8", "end",   "App2", '2020-02-27T02:01:01.6062658Z',  "9", "start",   "App3", '2020-02-27T01:00:01.6062658Z',  "9", "end",   "App3", '2020-02-27T01:01:01.6062658Z',  "10", "start",   "App4", '2020-02-27T00:30:01.6062658Z',  "10", "end",   "App4", '2020-02-27T00:32:01.6062658Z',  "11", "start",   "App4", '2020-02-27T00:15:01.6062658Z',  "11", "end",   "App4", '2020-02-27T00:16:01.6062658Z'  ];
let Errortable=datatable(RunId:string,Error:string,AppName:string) [    "1", "Error1",   "App1",  "1", "Error2",   "App1",  "1", "Error3",   "App1",  "2", "Error1",   "App1",  "2", "Error4",   "App1",  "3", "Error1",   "App1",  "3", "Error2",   "App1",  "3", "Error3",   "App1",  "3", "Error4",   "App1",  "4", "Error1",   "App1",  "5", "Error1",   "App2",  "5", "Error2",   "App2",  "6", "Error1",   "App2",  "6", "Error2",   "App2",  "7", "Error1",   "App2",  "8", "Error1",   "App2",  "9", "Error1",   "App3",  "9", "Error2",   "App3",  "11", "Error1",   "App4",  "11", "Error1",   "App4"  ];

下面是我试过的

let FactTable = Temptable
| where Message == "start"
| summarize by AppName
| project AppName;
let LatestRun = FactTable
| join kind = inner (Temptable | where timestamp < ago(6h) and Message == "start") on AppName
| summarize arg_max(timestamp,*) by AppName
| project AppName,RunId;
LatestRun
| join kind = leftouter (Errortable) on AppName,RunId
| summarize Count_Error = count(Error) by AppName,CurrentRunId = RunId

let FactTable=诱人
|其中消息==“开始”
|按AppName汇总
|项目名称；
设LatestRun=FactTable
|在AppName上连接kind=internal（可诱惑的|其中时间戳



如果我总结结果，对于“App4”，count被检索为1，这是错误的
我怎样才能做到这一点？我还需要显示当前运行和上一次运行，如上面的代码段所示
有人能告诉我怎么破解这个吗
编辑2：我已经找到了答案，但我不确定这是不是一个好方法
let FactTable = Temptable
| where Message == "start"
| summarize by AppName
| project AppName;
let LatestRun = FactTable
| join kind = inner (Temptable | where timestamp < ago(6h) and Message == "start") on AppName
| summarize arg_max(timestamp,*) by AppName
| project AppName,RunId;
let PreviousRun = FactTable
| join kind = inner (Temptable | where timestamp < ago(6h) and Message == "start") on AppName
| join kind= inner ( LatestRun) on AppName
| where RunId != RunId1
| summarize arg_max(timestamp,*) by AppName
| project AppName,RunId;
let CurrResult = FactTable
| join kind = leftouter (LatestRun) on AppName
| join kind = leftouter (Errortable) on AppName,RunId
| summarize Curr_ErrorCount = count(isnotempty(Error)) by AppName,RunId
| project AppName,Curr_RunId = RunId,Curr_ErrorCount;
let PrevResult = FactTable
| join kind = leftouter (PreviousRun) on AppName
| join kind = leftouter (Errortable) on AppName,RunId
| summarize Prev_ErrorCount = count(isnotempty(Error)) by AppName,RunId
| project AppName,Prev_RunId = RunId,Prev_ErrorCount;
LatestRun
| join kind = leftouter (CurrResult) on AppName
| join kind = leftouter (PrevResult) on AppName
| project AppName, Curr_RunId, Curr_ErrorCount, Prev_RunId,Prev_ErrorCount
| order by AppName asc

let FactTable=诱人
|其中消息==“开始”
|按AppName汇总
|项目名称；
设LatestRun=FactTable
|在AppName上连接kind=internal（可诱惑的|其中时间戳


有没有更好的方法来实现这一点？
据我所知，您的“编辑2”KQ是最完美的。
您也可以尝试以下方法，使用：
太好了！非常感谢。你能解释一下下面的语句实际上是做什么的吗？| AppName的top嵌套按min（1），RunId的top嵌套按timestamp=min（timestamp）desc；请查看文档（上面的链接）。第一个按AppName嵌套组，没有限制（所有记录），第二个按min（时间戳）从每个AppName中降序选择2个runid。
let runs = Temptable 
| where Message  == "start" 
| top-nested of AppName by min(1), top-nested 2 of RunId by timestamp=min(timestamp) desc;
runs
| join kind=leftouter Errortable on RunId
| summarize CountErrors=countif(isnotempty(Error)), timestamp = max(timestamp) by AppName, RunId
| order by AppName asc, timestamp desc 
| extend P = pack_all()
| summarize runs = make_list(P) by AppName
| project AppName = runs[0].AppName, Cur_RunId = runs[0].RunId, Cur_ErrorCount = runs[0].CountErrors, Prev_RunId = runs[1].RunId, Prev_ErrorCount = runs[1].CountErrors