我有一个where条件,我想在Azure Data Explorer DB中的一组表上运行它。我发现";在((中查找";Kusto查询中的运算符非常有用,当我按预期传递表列表时,它可以很好地工作。
find withsource=DataType in (AppServiceFileAuditLogs,AzureDiagnostics)
where TimeGenerated > ago(31d)
project _ResourceId, _BilledSize, _IsBillable
| where _IsBillable == true
| summarize BillableDataBytes = sum(_BilledSize) by _ResourceId, DataType | sort by BillableDataBytes nulls last
但是,在我的场景中,我希望在运行时使用另一个查询来决定表的列表。
Usage
| where TimeGenerated > ago(32d)
| where StartTime >= startofday(ago(31d)) and EndTime < startofday(now())
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000 by DataType
| sort by BillableDataGB desc
|project DataType
find withsource=DataType in (<pass resulting table expression from above query here as comma separated list of tables>)
where TimeGenerated > ago(31d)
project _ResourceId, _BilledSize, _IsBillable
| where _IsBillable == true
| summarize BillableDataBytes = sum(_BilledSize) by _ResourceId, DataType | sort by BillableDataBytes nulls last
找到了一些使用通配符传递数据库或集群中所有表的示例,但这不适合我的场景。有人能在这里帮我吗。
以下是实现这一目标的一种方法:
let Tables = toscalar(Usage
| where TimeGenerated > ago(32d)
| where StartTime >= startofday(ago(31d)) and EndTime < startofday(now())
| where IsBillable == true
| summarize by DataType);
union withsource=T *
| where T in (Tables)
| count
请注意,toscalar表达式具有重要意义,它预先计算表列表并优化联合表达式上的筛选器。我还更新了您的查询,以避免不必要的工作。