Using Kusto scan operator to capture sequential pairs that meets criteria
I am trying to get the kusto scan operator to work for this use case. I want to create pairs where columnA matches.
let threecolumns = datatable( Ts: timespan, ColumnA: string, ColumnB: string)
[
0m, "aaa","023",
1m, "aaa","134",
2m, "aaa", "256",
3m, "aaa", "356",
4m, "aaa", "467",
5m, "bbb", "578",
6m, "bbb", "687",
8m, "ccc", "788",
11m, "ddd", "899",
12m, "ddd", "988"];
For the above table, I'm looking to get a list this
| Ts | ColumnA | ColumnB | isPair | A_1 | B_1 |
|---|---|---|---|---|---|
| 0m | aaa | 023 | true | aaa | 134 |
| 2m | aaa | 256 | true | aaa | 356 |
| 5m | bbb | 578 | true | bbb | 687 |
| 11m | ddd | 899 | true | ddd | 988 |
This is what I've tried, and as you can see, I am getting an extra pair
let threecolumns = datatable( Ts: timespan,ColumnA:string, ColumnB: string) [
0m, "aaa","023",
1m, "aaa","134",
2m, "aaa", "256",
3m, "aaa", "356",
4m, "aaa", "467",
5m, "bbb", "578",
6m, "bbb", "687",
8m, "ccc", "788",
11m, "ddd", "899",
12m, "ddd", "988"
];
threecolumns
| partition hint.strategy=native by ColumnA
(
order by Ts desc
| extend A_1 = next(ColumnA, 1), B_1 = next(ColumnB, 1)
| extend A_2 = next(ColumnA, 2), B_2 = next(ColumnB, 2)
| scan with_match_id=m_id declare(paired: bool, step: string) with
(
step s1 output = last: (ColumnA == A_1 and paired != true) => paired = true, step = 's1';
step s2 :(ColumnA == A_2 and s1.paired == true) => paired = false, step = 's2';
step s3: (ColumnA != A_1) => paired = false, step = 's3';
)
)
| where paired == true
| project Ts, ColumnA, ColumnB, paired, A_1, B_1
| Ts | ColumnA | ColumnB | isPair | A_1 | B_1 |
|---|---|---|---|---|---|
| 00:04:00 | aaa | 467 | true | aaa | 356 |
| 00:03:00 | aaa | 356 | true | aaa | 256 |
| 00:01:00 | aaa | 134 | true | aaa | 023 |
| 00:06:00 | bbb | 687 | true | bbb | 578 |
| 00:12:00 | ddd | 988 | true | ddd | 899 |
Solution
You can try below code to achieve your requirement.
let threecolumns = datatable( Ts: timespan,ColumnA:string, ColumnB: string) [
0m, "aaa","023",
1m, "aaa","134",
2m, "aaa", "256",
3m, "aaa", "356",
4m, "aaa", "467",
5m, "bbb", "578",
6m, "bbb", "687",
8m, "ccc", "788",
11m, "ddd", "899",
12m, "ddd", "988"
];
threecolumns
| partition hint.strategy=native by ColumnA
(
order by Ts asc
| extend A_1 = next(ColumnA, 1), B_1 = next(ColumnB, 1)
| extend x=row_number()
| where A_1 !=''
| where x%2 == 1
)
| order by Ts asc
| project Ts, ColumnA, ColumnB, paired=true, A_1, B_1;
Result:
- What is considered an ingestion request in Azure Data Explorer?
- Kql function to append columns
- Kibana Query for Message that contains ":"
- Get Azure VM creation date
- How good is performance of "has" operator in Kusto when RHS is not exactly one term?
- Stuck at PIM Diagnostics via KQL
- union with all fields
- How to create an Alert for Data Collection Rule deletion across all VMs in a subscription?
- Are joins within the same cluster consistent and isolated in Azure Data Explore?
- Is it possible to change the day returned from startofweek() and endofweek()?
- How to run Get Kusto query using Rest API
- KQL: bag unpack json into single row
- ADX - KQL: Conditionally Extending Property Columns from Dynamic Column
- Where is Update Policy failure logged
- Need suggestion to implement restrictive permissions to Kusto Tables and Functions
- How to do a KQL time window join at millisecond granularity?
- Kusto Query replace the timestamp of duplicate rows
- Using Kusto scan operator to capture sequential pairs that meets criteria
- KQL Query for Calculation of ErrorDuration within Timespan
- Add text to point(s) in Kusto linechart
- Kusto query with multiple sample values from an aggregate
- How to get data for specific date (startofweek) in a given time range in KQL?
- Defining external table kind as delta
- Kusto query map through array
- java.io.UncheckedIOException: io.netty.channel.StacklessClosedChannelException while writing to adx
- KQL: Every time a word is mentioned in a column append it to a new column as a list
- KQL: Create an id column every time a value changes in column x ordered by another column y
- Display lines & values for whole range of y-axis values in Kusto linechart
- Kusto - fetch data from one table where matching records do not exist in another table
- KQL - extract property value from an array of JSON objects, based on the value of another property