我非常模糊的标题的上下文:我有 4 个虚拟机,它们将日志发送到应用程序洞察。 我检索日志并使用 kusto 语言将其转换到表中。
结果表
Query:
AzureActivity
| where ResourceProvider == "Microsoft.Compute" and ActivityStatus == "Succeeded" and OperationName == "Deallocate Virtual Machine"
| project DeallocateResource=Resource ,DeallocatedDate=format_datetime(EventSubmissionTimestamp, 'yyyy-MM-dd') ,DeallocatedTime=format_datetime(EventSubmissionTimestamp, 'HH:mm:ss')
| join kind=fullouter
(
AzureActivity
| where ResourceProvider == "Microsoft.Compute" and ActivityStatus == "Succeeded" and OperationName == "Start Virtual Machine"
| project StartupResource=Resource ,StartDate=format_datetime(EventSubmissionTimestamp, 'yyyy-MM-dd') ,StartTime=format_datetime(EventSubmissionTimestamp, 'HH:mm:ss')
)
on $right.StartupResource == $left.DeallocateResource
| where StartDate == DeallocatedDate
| project Resource=coalesce(StartupResource, DeallocateResource) ,
Date=format_datetime(todatetime(coalesce(StartDate, DeallocatedDate)), 'dd/MM/yyyy' )
, StartTime= StartTime ,StopTime=DeallocatedTime ,
Runtime_Hours = format_datetime(datetime_add('minute',datetime_diff('minute', todatetime(strcat(StartDate , " " , DeallocatedTime )) , todatetime(strcat(StartDate , " " , StartTime ))), make_datetime(2017,1,1)), 'hh:mm')
| sort by Date asc , Resource asc
正如您所看到的,当虚拟机在 8:15 启动并在 8:58 停止并且运行时间为 12:43 小时时,运行时间不正确,则存在问题。在虚拟机的事件日志中,我看到一些同事对虚拟机做了一些奇怪的事情。并启动了几次(他再次启动一分钟后,可能是您同时单击开始按钮两次时出现的故障)。
事件日志
我确实找到了解决问题的理论方法: 我的查询需要更改,以便仅当虚拟机启动并随后停止时才需要将运行时甚至启动和停止时间记录在时间表中。但是 atm 我得到了所有“启动虚拟机”和所有“停止虚拟机”,只是在表中对它们进行排序,这导致我的结果表中出现混淆。
但我似乎无法在查询中找到调整此设置的方法。仅当当天的第一天(当前一个不是启动虚拟机时)或前一个日志是“释放虚拟机”时才说获取启动虚拟机,因为这不是按顺序启动-停止。一天中的时间需要包含在公式中。 仅当前一个虚拟机是启动虚拟机时才获取释放虚拟机。 并计算每次运行的运行时间而不是每天。
由于我对 SQL 和 kusto 非常陌生,我来这里并不是为了让别人给我解决方案或为我做工作。 我希望有人可以帮助我或引导我朝正确的方向找到问题的解决方案。
提前致谢!!!
最佳答案
请检查以下方法是否能让您更接近您的需求。
datatable(Resource:string, Event:string, EventTime:datetime)
[
'Machine1', 'Start', datetime(2019-04-12 00:00),
'Machine1', 'Stop', datetime(2019-04-12 01:00),
'Machine1', 'Start', datetime(2019-04-12 01:30),
'Machine1', 'Start', datetime(2019-04-12 01:45),
'Machine1', 'Stop', datetime(2019-04-12 11:45),
// Machine2
'Machine2', 'Start', datetime(2019-04-12 00:00),
'Machine2', 'Stop', datetime(2019-04-12 01:00),
'Machine2', 'Stop', datetime(2019-04-12 01:20),
'Machine2', 'Start', datetime(2019-04-12 01:30),
'Machine2', 'Stop', datetime(2019-04-12 11:45),
]
| order by Resource asc, EventTime asc
| extend IsSameResource = (prev(Resource) == Resource)
| extend PrevState = iif(IsSameResource, prev(Event), Event), CurrentState = Event
| extend RunTime = iif(PrevState == 'Start' and CurrentState == 'Stop', EventTime - prev(EventTime), time(null)),
StartTime = prev(EventTime)
| where isnotnull(RunTime)
| project Resource, StartTime, EndTime = EventTime, RunTime
[编辑]
相同的方法 - 但使用问题中提供的列:
let AzureActivity = datatable(ResourceProvider:string, Resource:string, ActivityStatus:string, OperationName:string, EventSubmissionTimestamp:datetime)
[
"Microsoft.Compute", 'Machine1', "Succeeded", 'Start Virtual Machine', datetime(2019-04-12 00:00),
"Microsoft.Compute", 'Machine1', "Succeeded", 'Deallocate Virtual Machine', datetime(2019-04-12 01:00),
"Microsoft.Compute", 'Machine1', "Succeeded", 'Start Virtual Machine', datetime(2019-04-12 01:30),
"Microsoft.Compute", 'Machine1', "Succeeded", 'Start Virtual Machine', datetime(2019-04-12 01:45),
"Microsoft.Compute", 'Machine1', "Succeeded", 'Deallocate Virtual Machine', datetime(2019-04-12 11:45),
// Machine2
"Microsoft.Compute", 'Machine2', "Succeeded", 'Start Virtual Machine', datetime(2019-04-12 00:00),
"Microsoft.Compute", 'Machine2', "Succeeded", 'Deallocate Virtual Machine', datetime(2019-04-12 01:00),
"Microsoft.Compute", 'Machine2', "Succeeded", 'Deallocate Virtual Machine', datetime(2019-04-12 01:20),
"Microsoft.Compute", 'Machine2', "Succeeded", 'Start Virtual Machine', datetime(2019-04-12 01:30),
"Microsoft.Compute", 'Machine2', "Succeeded", 'Deallocate Virtual Machine', datetime(2019-04-12 11:45),
];
AzureActivity
| where ResourceProvider == "Microsoft.Compute"
| where OperationName in ('Deallocate Virtual Machine','Start Virtual Machine')
| where ActivityStatus == 'Succeeded'
| order by Resource asc, EventSubmissionTimestamp asc
| extend IsSameResource = (prev(Resource) == Resource)
| extend PrevState = iif(IsSameResource, prev(OperationName), OperationName), CurrentState = OperationName
| extend RunTime = iif(PrevState == 'Start Virtual Machine' and CurrentState == 'Deallocate Virtual Machine', EventSubmissionTimestamp - prev(EventSubmissionTimestamp), time(null)),
StartTime = prev(EventSubmissionTimestamp)
| where isnotnull(RunTime)
| project Resource, StartTime, EndTime = EventSubmissionTimestamp, RunTime
关于azure - 库斯托语言。仅当时间上的前一个值不相同时才获取一个值,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55627936/