小贝子编程

KQL azure分析中的IFF功能?



我试图在KQL中创建一个ifelse语句,但我找不到关于是否有可能做我正在尝试的事情的文档。基本上,我想做的是只有当条件(EventResults=="Success")满足时才能进行总结,如果不满足,则进行另一次总结。通过SrcDvcIpAddr, bin(TimeGenerated, timeframe)来总结SuccessCount=count(), SuccessUsers=makeset(User)其他的summary FailCount=count(), SuccessUsers=makeset(User) by SrcDvcIpAddr, bin(TimeGenerated, timeframe)

除了在微软官方文档页面上使用扩展操作符之外,我没有找到任何关于在哪里以及如何使用iff的信息。我想做的事情可能吗?

// Sample data generation. Not Part of the solution.
let imAuthentication = materialize(range i from 1 to 500 step 1 | extend User = strcat("user_", tostring(toint(rand(10))+1)), SrcDvcIpAddr = tostring(dynamic(["1.1.1.1", "2.2.2.2", "3.3.3.3"])[toint(rand(2))]), EventResult = tostring(dynamic(["Success", "Failure"])[toint(rand(2))]), EventType ="Logon", EventProduct = "AAD", TimeGenerated = ago(12h * rand()));
// Solution starts here.
let sigin_threshold = 5;
let endtime         = 12h;
let timeframe       = 15m;
imAuthentication
|where  TimeGenerated >= ago(endtime) 
and EventProduct  == "AAD"
and EventType     =="Logon" 
and EventResult   in ("Success", "Failure")
and SrcDvcIpAddr  != "-" 
and isnotempty(User)
|summarize  SuccessCount = countif(EventResult == "Success")
,FailCount    = countif(EventResult == "Failure")
,SuccessUsers = make_set_if(User, EventResult == "Success")           
,FailUsers    = make_set_if(User, EventResult == "Failure") 
by SrcDvcIpAddr
,bin(TimeGenerated, timeframe)
|where FailCount > sigin_threshold
tbody> <<tr>
SrcDvcIpAddrTimeGeneratedSuccessCountFailCountSuccessUsersFailUsers
2.2.2.22023 - 01 - 20 - t10:15:00z37["user_3","user_2"["user_8","user_2","user_10","user_6","user_3","user_5"]
2.2.2.22023 - 01 - 20 - t11:00:00z46["user_9","user_3","user_6"]["user_8","user_7","user_2","user_4","user_9"]
1.1.1.12023 - 01 - 20 - t11:15:00z46["user_10","user_7","user_4"]["user_9","user_4","user_3"]
1.1.1.12023 - 01 - 20 - t11:45:00z36["user_2","user_1","user_7"]["user_2","user_1","user_9","user_4"]
2.2.2.22023 - 01 - 20 - t12:15:00z38["user_4","user_5"["user_6","user_8","user_7","user_2","user_3","user_1","user_5"]

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium