I am looking to create a user defined aggregate function in KQL to be used in a summarize function. I want to calculate the average value of a device sensor, but I need it to include the duration of time when a sensor has a specific value.
I've searched online, in the Microsoft documentation and StackOverflow, but I am unable to find any example that may help.
Note: The code examples in this question are slimmed down to just include the relevant information.
My table setup is as follows:
.create table tempMetrics ( TimeStamp: datetime, Name: string, Value: decimal ) Let's use this as input data:
.ingest inline into table tempMetrics <| datetime(2024-01-03 10:00:00),Sensor1,1 datetime(2024-01-03 10:03:00),Sensor1,5 datetime(2024-01-03 10:05:00),Sensor1,3 datetime(2024-01-03 10:06:00),Sensor1,7 datetime(2024-01-03 10:00:00),Sensor2,5 datetime(2024-01-03 10:02:00),Sensor2,6 datetime(2024-01-03 10:05:00),Sensor2,3 datetime(2024-01-03 10:09:00),Sensor2,1 I want to calculate the average value per five minutes, per metric. A simple query to get this would be:
tempMetrics | summarize Average=avg(Value) by bin(TimeStamp, 5m), Name However, I want it to be the average over time. So if a sensor measures 1 at the start of the time block, and three minutes in the value changes to 5, the average shouldn't be 3, but 2.6.
Above query gives the following results.
| TimeStamp | Name | Average | Should be |
|---|---|---|---|
| 2024-01-03T10:00:00Z | Sensor1 | 3 | 2.6 |
| 2024-01-03T10:00:00Z | Sensor2 | 5.5 | 5.6 |
| 2024-01-03T10:05:00Z | Sensor1 | 5 | 6.2 |
| 2024-01-03T10:05:00Z | Sensor2 | 2 | 2.6 |
I want to solve this using a user defined aggregate function, because this would keep the query clean.
Does anyone have any experience with this?
