我有两个自定义事件A和B. A将有一个包含2列的行,例如C和D(具有datetime数据类型)。自定义事件B将具有包含2列E和F的行,其中E将具有日期时间值,F将是整数值。事件A和B没有任何共同的列
现在我希望结果集具有在时间C和D之间发生的那些行。
例如,我有值 C栏 - “2016-09-03” D栏 - “2016-09-11” E列从“2016-08-01”到“2016-09-30”开始有多行。我希望结果集只包含在C列和D列之间出现E列和F列的行
let tab1 = customEvents | extend cws = todatetime(tostring(customDimensions.['ColumnC'])) , cwe =todatetime(tostring(customDimensions.['ColumnB'])) | where name == "A" | project cws , cwe , name | limit 1 ;
let tab2 = customEvents | extend dt = todatetime(tostring(customDimensions.['E'])) | where name == "B" |summarize F=count(name) by E=startofday(dt) | order by E asc | project E , F ;
union tab* |take 10 |project cws , cwe , name , E , F
| where E > cws and E < cwe | project E , F
由于没有公共列,我尝试使用Union语句并组合了两个表但无法获得所需的结果集。对此问题的任何输入对我都非常有用。
答案 0 :(得分:2)
如果要连接2个没有公共列的数据集,可以创建一个虚拟列。 试试这个问题:
customEvents
| where name == "A"
| extend cws = todatetime(tostring(customDimensions.['ColumnC'])) , cwe =todatetime(tostring(customDimensions.['ColumnB'])), dummy = "dummy" | project cws , cwe , name, dummy
| join kind = leftouter (
customEvents
| where name == "B"
| extend dt = todatetime(tostring(customDimensions.['E'])) | summarize F = count(name) by E=startofday(dt) | order by E asc | project E , F, dummy = "dummy"
) on dummy
| where E > cws and E < cwe | project E , F