azurekqlazure-data-explorer
KQL script - How to compute total seconds per Success (True/False)
Given the Timegenerated and Success fields In Kusto script
How to get the total seconds of each row for True and false
Get the total seconds for the true and false (for this sample how to get 33 for true and 7 for false
I used the
| serialize
| extend Timediff = (prev(TimeGenerated, 1) - TimeGenerated)/1sec
but im having a challenge to get the false/true
Im just getting the diff of each record
Solution
Code:
| serialize
| extend TimeDiff = (next(TimeGenerated, 1) - TimeGenerated)/1s
| summarize TotalSeconds = sum(TimeDiff) by Success
You can use summarize operator and group the data based on the value of success field and sum the Timediff values. This will give the total seconds for true and false separately.
Output:
| Success | TotalSeconds |
|---|---|
| true | 33 |
| false | 7 |
Update
| serialize
| extend TimeDiff = (next(TimeGenerated, 1) - TimeGenerated)/1s
| extend true_per_sec = iif(Success=='true',TimeDiff,real(null)), false_per_sec = iif(Success=='false',TimeDiff,real(null))
| summarize TimeDiff=sum(TimeDiff), true_per_sec=sum(true_per_sec), false_per_sec=sum(false_per_s