无法解析 Kusto 查询
Kusto query could not be parsed
我有包含 DstIP_s 等字段的 SecurityLog,我想显示与我的 trojanDst table
相匹配的记录
let trojanDst = datatable (DstIP_s:string)
[ "1.1.1.1","2.2.2.2","3.3.3.3"
];
SecurityLog |
| join trojanDst on DstIP_s
我收到 无法解析查询 错误?
您发布的查询在 join.
之前有一个多余的管道 (|)
从效率的角度来看,请确保 join 的左侧较小,如下所示:https://docs.microsoft.com/en-us/azure/kusto/query/best-practices#join-operator
评论太长了。正如 指出的那样,问题是双重管道运算符。
对于SQL背景的人来说join可能有点违反直觉(实际上是kind=innerunique):
kind unspecified, kind=innerunique
Only one row from the left side is matched for each value of the on
key. The output contains a row for each match of this row with rows
from the right.
Kind=inner
There's a row in the output for every combination of matching rows
from left and right.
let t1 = datatable(key:long, value:string)
[
1, "a",
1, "b"
];
let t2 = datatable(key:long, value:string)
[
1, "c",
1, "d"
];
t1| join t2 on key;
输出:
┌─────┬───────┬──────┬────────┐
│ key │ value │ key1 │ value1 │
├─────┼───────┼──────┼────────┤
│ 1 │ a │ 1 │ c │
│ 1 │ a │ 1 │ d │
└─────┴───────┴──────┴────────┘
SQL风格JOIN版本:
let t1 = datatable(key:long, value:string)
[
1, "a",
1, "b"
];
let t2 = datatable(key:long, value:string)
[
1, "c",
1, "d"
];
t1| join kind=inner t2 on key;
输出:
┌─────┬───────┬──────┬────────┐
│ key │ value │ key1 │ value1 │
├─────┼───────┼──────┼────────┤
│ 1 │ b │ 1 │ c │
│ 1 │ a │ 1 │ c │
│ 1 │ b │ 1 │ d │
│ 1 │ a │ 1 │ d │
└─────┴───────┴──────┴────────┘
KQL 中有许多连接类型,例如 innerunique、inner、leftouter、rightouter、fullouter、anti 等。在这里你可以找到 full list
我有包含 DstIP_s 等字段的 SecurityLog,我想显示与我的 trojanDst table
相匹配的记录let trojanDst = datatable (DstIP_s:string)
[ "1.1.1.1","2.2.2.2","3.3.3.3"
];
SecurityLog |
| join trojanDst on DstIP_s
我收到 无法解析查询 错误?
您发布的查询在 join.
|)
从效率的角度来看,请确保 join 的左侧较小,如下所示:https://docs.microsoft.com/en-us/azure/kusto/query/best-practices#join-operator
评论太长了。正如
对于SQL背景的人来说join可能有点违反直觉(实际上是kind=innerunique):
kind unspecified, kind=innerunique
Only one row from the left side is matched for each value of the on key. The output contains a row for each match of this row with rows from the right.
Kind=inner
There's a row in the output for every combination of matching rows from left and right.
let t1 = datatable(key:long, value:string)
[
1, "a",
1, "b"
];
let t2 = datatable(key:long, value:string)
[
1, "c",
1, "d"
];
t1| join t2 on key;
输出:
┌─────┬───────┬──────┬────────┐
│ key │ value │ key1 │ value1 │
├─────┼───────┼──────┼────────┤
│ 1 │ a │ 1 │ c │
│ 1 │ a │ 1 │ d │
└─────┴───────┴──────┴────────┘
SQL风格JOIN版本:
let t1 = datatable(key:long, value:string)
[
1, "a",
1, "b"
];
let t2 = datatable(key:long, value:string)
[
1, "c",
1, "d"
];
t1| join kind=inner t2 on key;
输出:
┌─────┬───────┬──────┬────────┐
│ key │ value │ key1 │ value1 │
├─────┼───────┼──────┼────────┤
│ 1 │ b │ 1 │ c │
│ 1 │ a │ 1 │ c │
│ 1 │ b │ 1 │ d │
│ 1 │ a │ 1 │ d │
└─────┴───────┴──────┴────────┘
KQL 中有许多连接类型,例如 innerunique、inner、leftouter、rightouter、fullouter、anti 等。在这里你可以找到 full list