Kusto - Splunk 到 Kusto 查询转换“max(_time) as time by jobid

【问题标题】：Kusto - Splunk to Kusto Query conversion for "max(_time) as time by jobid | sort -time"Kusto - Splunk 到 Kusto 查询转换“max(_time) as time by jobid | sort -time”
【发布时间】：2021-11-16 07:49:53
【问题描述】：

我正在处理 Splunk 到 Kusto 仪表板的转换。你能告诉我如何将下面的 Splunk 查询转换为 Kusto

我理解了结果的过滤器，但我被困在用 max(_time) 作为 time by jobid | 总结的地方。排序时间

| stats count(eval(result=="failed")) as failed count(eval(result=="succeess" OR result=="progress")) as succeeded max(_time) as time by jobid | sort -time

【问题讨论】：

标签： azure-data-explorer kql kusto-explorer

【解决方案1】：

应该是这样的：

| summarize failed = countif(result=="failed"), 
            succeeded = countif(result=="succeess" or result=="progress"),
            ['time'] = max(_time) by jobid 
| sort by ['time'] desc

【讨论】：

谢谢它对我有用。我想对 ifelse 条件使用相同的方法。我无法使用 Kusto Query 计算结果。 Splunk 查询| eval result=if(Match(Status,"Success|Passed"), "succeess","failed") Kusto 查询| extend result = case(Status in ("Success", "PassedOnRetry"), "succeeded", "failed")
或者如果我使用下面的 Kusto 查询 | summarize success = countif(Status in ("Success", "PassedOnRetry")), total = count() | extend failure = total - success 我如何计算如下所示的时间 ['time'] = max(_time) by jobid |按 ['time'] desc 排序
我能够完成查询。请参阅下文。 | summarize succeeded = countif(Status=="Success" or Status=="Passed"), failure = countif(Status!="Success" or Status!="Passed")
看来你想通了，干得好！