使用KQL
鉴于这个数据集
let MyTable = datatable (VMID:int, ID:string, Type:string, features:dynamic, scanner:dynamic)[1, "ID-1", "Windows", dynamic([{"name": "name1", "value": true},{"name": "name2", "value": false},{"name": "name3", "value": true}]), dynamic([{"name": "s1", "expiry": false},{"name": "s2", "expiry": true},{"name": "s3", "expiry": true},{"name": "s4", "expiry": false}]),2, "ID-1", "Windows", dynamic([{"name": "name1", "value": true},{"name": "name2", "value": false},{"name": "name3", "value": true}]), dynamic([{"name": "s1", "expiry": false},{"name": "s2", "expiry": true},{"name": "s3", "expiry": false},{"name": "s4", "expiry": true}]),3, "ID-1", "Linux", dynamic([{"name": "name1", "value": true},{"name": "name2", "value": false},{"name": "name3", "value": true}]), dynamic([{"name": "s1", "expiry": false},{"name": "s2", "expiry": false},{"name": "s3", "expiry": true},{"name": "s4", "expiry": false}]),4, "ID-2", "Windows", dynamic([{"name": "name1", "value": true},{"name": "name2", "value": false},{"name": "name3", "value": true}]), dynamic([{"name": "s1", "expiry": false},{"name": "s2", "expiry": true},{"name": "s3", "expiry": false},{"name": "s4", "expiry": true}]),5, "ID-2", "Windows", dynamic([{"name": "name1", "value": true},{"name": "name2", "value": false},{"name": "name3", "value": true}]), dynamic([{"name": "s1", "expiry": false},{"name": "s2", "expiry": true},{"name": "s3", "expiry": true},{"name": "s4", "expiry": true}])];
我想按name1和name2过滤要素,按s1和s3过滤ScanState,然后计算每个Type的VMID的数量,并给予VMID的列表
1.对于www.example.com = name 1,值== truefeature.name
- www.example.com = name2的value = feature.name false
1.对于www.example.com = s1,has expiration = falsescanState.name
1.对于www.example.com = s3,has expiration = truescanState.name
我的主要问题是当使用mv-apply时,它会将JSON分成多行。执行count()会导致额外的结果。
MyTable| mv-apply features, scanner on (where features.name == "name1" or features.name == "name2" or scanner.name == "s1" or scanner.name == "s3" )| extend feature1State = tobool(features.name == "name1" and features.value == true)| extend feature2State = tobool(features.name == "name2" and features.value == false)| extend scan1State = tobool(scanner.name == "s1" and scanner.expiry == false)| extend scan2State = tobool(scanner.name == "s3" and scanner.expiry == true)| summarize vmCount = count(VMID),f1count = countif(feature1State == true),f2count= countif(feature2State== true),scan1count = countif(scan1State == true),scan2count = countif(scan2State == true),f1FailVm = make_set_if(VMID, feature1State == false and isnotempty( VMID)),f2FailVm = make_set_if(VMID, feature2State== false and isnotempty( VMID)),scan1FailVm = make_set_if(VMID, scan1State == false and isnotempty( VMID)),scan2FailVm = make_set_if(VMID, scan2State == false and isnotempty( VMID))by ID, Type
它的输出
请注意,ID-1的VM计数为6,这是不正确的。这是因为mv-apply本质上创建了多行。由于features和Scanner中的条目数不同,所以它选择了它们中的最大值。
有没有更好的办法来解决这个问题。
更新1:使用count_distinct解决VMID,但如何获得正确的失败列表值。使用count_distinct
输出
1条答案
按热度按时间vhmi4jdf1#
vmCount = count_distinct( VMID)代替count(VMID)。count_distinct函数用于按Type和Id字段计算不同VMID值的数量。f1FailVm字段是在Type和Id中feature1State字段中没有true的VMID列表。在这种情况下,将第一个集合作为VMID值的集合,这些值在feature1State字段中具有false值,将第二个集合作为VMID值的集合,这些值在feature1State字段中具有true值,然后在它们之间使用set_difference。代码:
输出:
| ID|类型|vmCount| f1计数|f2count|扫描计数|扫描计数|f1failVM| f2FailVM| scan1FailVm| scan2FailVm|
| - -----|- -----|- -----|- -----|- -----|- -----|- -----|- -----|- -----|- -----|- -----|
| ID-1| windows |2| 2| 2| 2| 1| []|[]|[]|【2】|
| ID-1| Linux| 1| 1| 1| 1| 1| []|[]|[]|[]|
| ID-2| windows |2| 2| 2| 2| 1| []|[]|[]|[4]美国|
fiddle