CODEWITHSUNDEEP
azuredatetimeazure-data-explorerkql
user75252
user75252

Reputation: 309

Date time difference within a column in Azure Monitor Logs (Kusto Query Language)

I have clickstream data in Azure Monitor Logs in this format:

       Timestamp             Category  Session_ID    Step_Name
10/22/2019, 9:28:14.868 AM      A        ++9Ti        step 1    
10/22/2019, 9:28:18.034 AM      A        ++9Ti        step 2    
10/22/2019, 9:28:22.487 AM      A        ++9Ti        step 3
10/23/2019, 7:02:02.527 AM      B        ++MoY        step 1    
10/23/2019, 7:02:09.244 AM      B        ++MoY        step 2    
10/23/2019, 7:02:21.156 AM      B        ++MoY        step 3        <-- 
10/23/2019, 7:02:27.195 AM      B        ++MoY        step 3        <--
10/23/2019, 7:15:13.544 AM      A        ++0a3        step 1    
10/23/2019, 7:15:35.438 AM      A        ++0a3        step 2

I need to get the mean time that a consumer spends on each step in a Category

Also, when steps are repeated (like step 3 in session_ID = '++MoY'), we need to take the latest timestamp while calculating the mean.

Example : Mean time spent on step 2 in category A is (3.166 + 21.894)/2 = 12.53 seconds. (Note : timestamp gives time at which step is completed)

Upvotes: 2

Views: 2862

Answers (1)

Yoni L.
Yoni L.

Reputation: 25895

you could try something like the following

a) using arg_max() to take the latest by step/category

b) using prev() after order by to calculate the duration for each step

datatable(Timestamp:datetime, Category:string, Session_ID:string, Step_Name:string)
[
    datetime(10/22/2019, 9:28:14.868 AM), 'A', '++9Ti', 'step 1',
    datetime(10/22/2019, 9:28:18.034 AM), 'A', '++9Ti', 'step 2',
    datetime(10/22/2019, 9:28:22.487 AM), 'A', '++9Ti', 'step 3',
    datetime(10/23/2019, 7:02:02.527 AM), 'B', '++MoY', 'step 1',
    datetime(10/23/2019, 7:02:09.244 AM), 'B', '++MoY', 'step 2',
    datetime(10/23/2019, 7:02:21.156 AM), 'B', '++MoY', 'step 3',
    datetime(10/23/2019, 7:02:27.195 AM), 'B', '++MoY', 'step 3',
    datetime(10/23/2019, 7:15:13.544 AM), 'A', '++0a3', 'step 1',
    datetime(10/23/2019, 7:15:35.438 AM), 'A', '++0a3', 'step 2',
]
| summarize arg_max(Timestamp, *) by Step_Name, Session_ID
| order by Session_ID asc, Timestamp asc
| extend duration = iff(Session_ID == prev(Session_ID), Timestamp - prev(Timestamp), 0s)
| summarize avg(duration) by Step_Name, Category
| where Step_Name == "step 2" and Category == "A"

Upvotes: 2

Related Questions