Tim*_*m G 4 kql azure-data-explorer
我的数据源是“元数据”。每台设备都有一个唯一的ID,每天可以多次签到。我想提出一个 Kusto 查询,该查询在过去 30 天内每天为每个 deviceID 返回一条记录。这是我目前的公式:
Metadata
| project-rename['Metadata.deviceID']=deviceID, ['Metadata.appName']=appName, ['Metadata.appVersion']=appVersion, ['Metadata.timeZone']=timeZone
| where (dateTimeUtc >= __sql_substract(now(), 30))
| summarize appName=max(['Metadata.appName']), deviceID=max(['Metadata.deviceID']), appVersion=max(['Metadata.appVersion']), timeZone=max(['Metadata.timeZone']) by bin(dateTimeUtc, 1d)
| project dateTimeUtc, appName, appVersion, timeZone, deviceID
这将每天返回 1 条记录,而不是每个设备 ID 每天返回 1 条记录。如果我删除 bin() 并仅使用“by dateTimeUtc”,则每天每个 deviceID 返回一条以上记录。如何为每个 deviceID 获取过去 30 天内每天的一条记录?
这会得到你想要的结果吗?
(使用 arg_max(): https://docs.microsoft.com/en-us/azure/kusto/query/arg-max-aggfunction)
let Metadata = datatable(deviceID:string, appName:string, appVersion:string, timeZone:string, dateTimeUtc:datetime)
[
"d1", "a1", "v1", "PST", datetime(2018-12-01 15:53),
"d1", "a2", "v2", "PST", datetime(2018-12-01 12:01),
"d1", "a1", "v3", "UTC", datetime(2018-12-03 16:47:22),
"d1", "a2", "v4", "PST", datetime(2018-12-03 14:34:22),
"d2", "a2", "v2", "UTC", datetime(2018-11-30 15:54:22),
"d2", "a1", "v3", "PST", datetime(2018-11-30 14:53:22),
"d2", "a2", "v4", "UTC", datetime(2018-12-01 15:52:22),
"d2", "a1", "v1", "PST", datetime(2018-12-01 12:51:22)
];
Metadata
| where dateTimeUtc > ago(30d)
| summarize arg_max(dateTimeUtc, *) by deviceID, startofday(dateTimeUtc)
| project-away dateTimeUtc1