Search code examples
azure-data-explorerazure-monitorkusto-explorer

Kusto: compare each row in a resultset with another table

I have two tables: EventsTable enter image description here

And Subcategory table:

enter image description here

I expect to mark all rows in EventsTable with "dataflow" subcategory, because the keywords: cpu, dataflow and cpupct, belong to the subcategory dataflow.

I am looking for a query with a logic like this:

let Subcategory = datatable(subcategory:string, keywords:dynamic )
[
    'saturacion', dynamic(["saturation","infrastructure"]),
    'slow disk',dynamic(["low","disk","space"]),
    'saturacion',dynamic(["using","win","use"]),
    'saturacion',dynamic(["used","win","utilization","percentage"]),
    'swap memory',dynamic(["swap","memory","usage"]),
    'disk full',dynamic(["disk","free","size","filesystemspace"]),
    'dataflow',dynamic(["cpu","dataflow","cpupct"])
];
let EventsTable = datatable(ID:string, category:string, words:dynamic )
[
    'mcsc1','cpu',dynamic(["swap","memory","usage"]),
    'mcsc2','cpu',dynamic(["disk","free","size","filesystemspace"]),
    'mcsc3','cpu',dynamic(["cpu","dataflow","cpupct"])
];
EventsTable
| mv-apply Subcategory on 
(
   extend subcat=iff(
    array_length(set_intersect(words, Subcategory.keywords)) == array_length(Subcategory.keywords),
    Subcategory.subcategory, 'none')
)
Solution

  • You can try the following approach (though I'm not sure it's the most optimal way to solve this):

    let Subcategory = datatable(subcategory:string, keywords:dynamic )
[
    'saturacion', dynamic(["saturation","infrastructure"]),
    'slow disk',dynamic(["low","disk","space"]),
    'saturacion',dynamic(["using","win","use"]),
    'saturacion',dynamic(["used","win","utilization","percentage"]),
    'swap memory',dynamic(["swap","memory","usage"]),
    'disk full',dynamic(["disk","free","size","filesystemspace"]),
    'dataflow',dynamic(["cpu","dataflow","cpupct"])
];
let EventsTable = datatable(ID:string, category:string, words:dynamic )
[
    'mcsc1','cpu',dynamic(["swap","memory","usage"]),
    'mcsc2','cpu',dynamic(["disk","free","size","filesystemspace"]),
    'mcsc3','cpu',dynamic(["cpu","dataflow","cpupct"])
];
EventsTable | extend Temp=1
| join kind=inner (Subcategory | extend Temp=1) on Temp
| extend subcat = iff(array_length(set_intersect(words, keywords)) == array_length(keywords), category, 'none')
| project-away Temp, Temp1