如何:从stddev/mean计算中排除一行并稍后联接

这对于大型计算机组来说效果相当好,但是对于较小的计算机组来说存在一个问题:如果计算机很少,并且只有一台计算机抛出了大量异常,那么它可能无法被检测到。原因是因为数据点是组的一般标准差分和平均值计算的PAR,所以平均值和标准差分偏向于这个异常值。

解决方案是从整个组的计算stddev和平均值中减去该数据点,或者计算每个机器/环境/功能组合的stddev和平均值(不包括stddev/平均值计算中有问题的机器),而不仅仅是按环境/功能组。

以下是按环境/函数执行的当前代码。是否有一个优雅的解决方案来扩展它以实现机器/环境/功能?

// Find sick machines
let SickMachinesAt = (AtTime:datetime , TimeWindow:timespan = 1h, Sigmas:double = 3.0, MinimumExceptionsToTrigger:int = 10) {
    // These are the exceptions we are looking at (time window constrained)
    let Exceptions = exception
    | where EventInfo_Time between((AtTime - TimeWindow ) .. AtTime);
    // Calculate mean and stddev for each bin of environmentName + machineFunction
    let MeanAndStdDev = Exceptions
    | summarize count() by environmentName, machineFunction, machineName
    | summarize avg(count_), stdev(count_) by environmentName, machineFunction
    | order by environmentName, machineFunction;
    let MachinesWithMeanAndStdDev = Exceptions
    | summarize count() by environmentName, machineFunction, machineName
    | join kind=fullouter MeanAndStdDev on environmentName, machineFunction;
    let SickMachines = MachinesWithMeanAndStdDev |
    project machineName, 
        machineFunction, 
        environmentName, 
        totalExceptionCount = count_, 
        cutoff = avg_count_ + Sigmas * stdev_count_, 
        signalStrength = ((count_ - avg_count_) / stdev_count_) 
    | where totalExceptionCount > cutoff and totalExceptionCount > MinimumExceptionsToTrigger
    | order by signalStrength desc;
    SickMachines
}