How to efficiently find if any field changed in a Kusto table?
I have a table that is populated every hour or so with new updates on every disk in the system. I want to isolate two instances of this update and see whether any of the fields for each disk (identified by unique disk id) have changed in this time.
For example the following kusto query shows what I want to achieve (in my problem both T1 and T2 would come from the same table, but this is how I want it to work)
let T1 = datatable(DiskId:int, IsLeased:bool, NumSnapshots:int) [
1, true, 2,
2, false, 0,
3, true, 0,
4, true, 1,
];
let T2 = datatable(DiskId:int, IsLeased:bool, NumSnapshots:int) [
1, true, 0,
2, true, 0,
3, true, 0,
4, true, 1,
];
T1
| join kind = inner (T2) on DiskId
| project DiskId, IsLeasedCheck = IsLeased == IsLeased1, NumSnapshotsCheck = NumSnapshots == NumSnapshots1
| where IsLeasedCheck == false or NumSnapshotsCheck == false
will get me an output as follows, so I can tell at a glance which property if any changed.
| DiskId | IsLeasedCheck | NumSnapshotsCheck |
|---|---|---|
| 1 | true | false |
| 2 | false | true |
In my case however, I need to do this for several columns, I wanted to ask whether this can be done in a less tedious way in kusto. I don't need to solve it in exactly this way, I just need to know if any fields changed in any way.
If you just want to figure out if any column has changed, you could merge all columns and compare them:
let T = datatable(DiskId:int, IsLeased:bool, NumSnapshots:int, ingestion_date:datetime ) [
1, true, 2, datetime("2024-04-26"),
2, false, 0, datetime("2024-04-26"),
3, true, 0,datetime("2024-04-26"),
4, true, 1,datetime("2024-04-26"),
1, true, 0,datetime("2024-04-27"),
2, true, 0,datetime("2024-04-27"),
3, true, 0,datetime("2024-04-27"),
4, true, 1,datetime("2024-04-27")
];
T
| order by DiskId asc, ingestion_date asc
| extend new_setting = tostring(bag_pack("IsLeased", tostring(IsLeased), "NumSnapshots", tostring(NumSnapshots)))
| project-away IsLeased, NumSnapshots
| extend old_setting=prev(new_setting)
| where prev (new_setting) != new_setting and DiskId == prev(DiskId)
This would give you a view at least on the changed rows:
- How to run Get Kusto query using Rest API
- use range with custom field
- Azure Application Insights: How to make a nice time graph from a custom KQL query?
- KQL: bag unpack json into single row
- Is customDimension column name 'first' restricted?
- How can I get sub value in nested json via KQL?
- Kusto make-series by month
- Need suggestion to implement restrictive permissions to Kusto Tables and Functions
- KQL merge rows with the same ID into one row
- How to do a KQL time window join at millisecond granularity?
- Kusto Query replace the timestamp of duplicate rows
- Bin producing unexpected results
- How to create a whitelist with two fields in KQL with a Watchlist?
- KQL Query for Calculation of ErrorDuration within Timespan
- Add text to point(s) in Kusto linechart
- Kusto query with multiple sample values from an aggregate
- How to get data for specific date (startofweek) in a given time range in KQL?
- How can I convert TimeGenerated to TimeIngested in this KQL query for an Azure Workbook?
- multiple if and else within kql azure
- Controlling scatter chart markers in Azure Data Explorer dashboard using KQL
- Monitor HTTP traffic for Azure Web App using Log analitics and KQL query
- Defining external table kind as delta
- Kusto query map through array
- how to use or condition in kql
- KQL: Every time a word is mentioned in a column append it to a new column as a list
- KQL: Create an id column every time a value changes in column x ordered by another column y
- KQL query returns available memory but not Total Memory
- Display lines & values for whole range of y-axis values in Kusto linechart
- Kusto - fetch data from one table where matching records do not exist in another table
- KQL - extract property value from an array of JSON objects, based on the value of another property