我正在对来自多个电表的时间数据应用series_sasse_anomalies算法。目前,我正在使用ADX仪表板功能将我的仪表标识符作为参数输入算法,并将我的异常和分数作为表格返回。
let dt = 3hr;
Table
| where meter_ID == dashboardParameter
| make-series num=avg(value) on timestamp from _startTime to _endTime step dt
| extend (anomalies,score,baseline) = series_decompose_anomalies( num, 3,-1, 'linefit')
| mv-expand timestamp, num, baseline, anomalies, score
| where anomalies ==1
| project dashboardParameter, todatetime(timestamp), toreal(num), toint(anomalies), toreal(score)
我想一次性批量处理我所有的电表,并返回一张包含所有异常情况的表格。是否可以在KQL中以可迭代的形式或类似的方式馈送数组,以允许我的参数在一次运行中多次更改?
只需添加by meter_ID即可制作系列
(并删除| where meter_ID == dashboardParameter(
| make-series num=avg(value) on timestamp from _startTime to _endTime step dt by meter_ID
第页。S.
异常可以是正的(num>基线=>标志=1(或负的(num<基线=>标志=-1(
演示
let _step = 1h;
let _endTime = toscalar(TransformedServerMetrics | summarize max(Timestamp));
let _startTime = _endTime - 12h;
TransformedServerMetrics
| make-series num = avg(Value) on Timestamp from _startTime to _endTime step _step by SQLMetrics
| extend (flag, score, baseline) = series_decompose_anomalies(num , 3,-1, 'linefit')
| mv-expand Timestamp to typeof(datetime), num to typeof(real), flag to typeof(int), score to typeof(real), baseline to typeof(real)
| where flag != 0
| SQLMetrics | num | 时间戳标志 | >得分<1th>基线||
|---|---|---|---|---|
| write_bytes | 169559910.91717172 | 2022-06-14T15:00:30.2395884Z | -1 | -3.482403987238131 | 170205132.25708669
| cpu_time_ms | 17.369556143036036 | 2022-06-14T17:00:30.2395884Z | <1>>1 | 7.887452984282611.04372634506527 |
| percent_complete | 0.04595588235294118 | 2022-06-14T22:00:30.239588884Z | 1 | >25.0194648687499850.004552738927738928 |
| blocking_session_id | -5 | 2022-06-14T22:00:30.2395884Z | <1>-25.199464868749971-0.49533799533799527 | |
| pending_disk_io_count | 0.0019675925925924 | 2022-06-14T23:00:30.2395884Z | 1 | 6.46868363842256850.00043773741690408352 |