我可以在 Kusto Query 的动态数组的 Where 和 Case 语句中创建自定义查询吗?
Can i create custom queries in Where and Case statements from dynamic array in Kusto Query?
我有一个包含 url、name、timestamp 列的 requests 数据表,我向其中添加了另一个计算列 operationType.
我想根据定义的动态对象属性 data 过滤和查询 requests,以获得操作及其使用次数,如下所示:
operationType | Counts
-------------------------
1.1 Operation A | 2400
-------------------------
1.2 Operation B | 1500
我有:
let daysAgo = 100d;
let data = dynamic([
{
'searchKey': 'url',
'searchOperator': 'contains',
'searchValue': 'AjaxContent?option=something',
'operationName': '1.1 Operation A'
},
{
'searchKey': 'name',
'searchOperator': 'matches regex',
'searchValue': 'POST /api/repo/\d+/filters',
'operationName': '1.2 Operation B'
}]);
let req = requests
| where (timestamp >= ago(daysAgo))
| where
//Issue #1: I want data[0].searchKey to be used as the requests column name
data[0].searchKey contains data[0].searchValue
//url contains data[0].searchValue //works
//Issue #2: 'doesn't work, error 'matches regex' operator requires string arguments
or name matches data[1].searchValue
//or name matches regex 'POST /api/repo/\d+/filters' //works
| extend operationType=
case(name == data[2].searchValue, data[2].operationName,
url contains data[0].searchValue, data[0].operationName
'Other - please check' )
| order by timestamp desc;
req | summarize Counts = count() by operationType
理想的做法是创建一个自定义查询,如下所示(甚至可能遍历动态数组属性 data)(Q #3):
requests | where data[0].searchKey data[0].searchOperator data[0].searchValue
在相同的上下文中,理想的也是扩展计算的 operationType 列以某种方式自定义创建(Q #4):
requests
| where
...
| extend operationType= case(url contains data[0].searchValue, data[0].operationName,
name matches regex data[0].searchValue, data[0].operationName)
或
requests
| where
...
| extend operationType= case(data[0].searchKey data[0].searchOperator data[0].searchValue, data[0].operationName,
data[1].searchKey data[1].searchOperator data[0].searchValue, data[0].operationName)
- 动态值是否可以用作
where 语句中的数据表列名称(问题 #1)?
- 动态值可以用作
matches regex 语句中的右手(问题 #2)吗?
- 可以创建动态自定义查询
where 语句,循环动态数组(Q #3)吗?
- 能否在
case 语句中自定义创建计算扩展列(问题 #4)?
1) where 语句中可以使用动态值作为数据表列名吗?
Yes. Please check : https://docs.microsoft.com/en-us/azure/kusto/query/columnifexists
Example showing column_ifexists() and 'matches regex'
datatable (a:string, b:string)
['1', '2']
| where column_ifexists('a', '') matches regex '1'
2) 动态值可以用作匹配正则表达式语句中的右手吗?
To some extent. In general, only constant values are supported, so you can't use row-context (where regex will vary for each row). You can, however, use toscalar() to calculate constant regular expressions as a sub-query, and use those as an argument to 'matches regex'.
https://docs.microsoft.com/en-us/azure/kusto/query/toscalarfunction
3) 可以创建动态自定义查询 where 语句,循环遍历动态数组吗?
No. Dynamic KQL queries are not supported at this moment.
4) 可以在 case 语句中自定义创建计算扩展列吗?
Yes, as long as you use techniques described in answer #1 and #2, and not running into limitations of #3.
我有一个包含 url、name、timestamp 列的 requests 数据表,我向其中添加了另一个计算列 operationType.
我想根据定义的动态对象属性 data 过滤和查询 requests,以获得操作及其使用次数,如下所示:
operationType | Counts
-------------------------
1.1 Operation A | 2400
-------------------------
1.2 Operation B | 1500
我有:
let daysAgo = 100d;
let data = dynamic([
{
'searchKey': 'url',
'searchOperator': 'contains',
'searchValue': 'AjaxContent?option=something',
'operationName': '1.1 Operation A'
},
{
'searchKey': 'name',
'searchOperator': 'matches regex',
'searchValue': 'POST /api/repo/\d+/filters',
'operationName': '1.2 Operation B'
}]);
let req = requests
| where (timestamp >= ago(daysAgo))
| where
//Issue #1: I want data[0].searchKey to be used as the requests column name
data[0].searchKey contains data[0].searchValue
//url contains data[0].searchValue //works
//Issue #2: 'doesn't work, error 'matches regex' operator requires string arguments
or name matches data[1].searchValue
//or name matches regex 'POST /api/repo/\d+/filters' //works
| extend operationType=
case(name == data[2].searchValue, data[2].operationName,
url contains data[0].searchValue, data[0].operationName
'Other - please check' )
| order by timestamp desc;
req | summarize Counts = count() by operationType
理想的做法是创建一个自定义查询,如下所示(甚至可能遍历动态数组属性 data)(Q #3):
requests | where data[0].searchKey data[0].searchOperator data[0].searchValue
在相同的上下文中,理想的也是扩展计算的 operationType 列以某种方式自定义创建(Q #4):
requests
| where
...
| extend operationType= case(url contains data[0].searchValue, data[0].operationName,
name matches regex data[0].searchValue, data[0].operationName)
或
requests
| where
...
| extend operationType= case(data[0].searchKey data[0].searchOperator data[0].searchValue, data[0].operationName,
data[1].searchKey data[1].searchOperator data[0].searchValue, data[0].operationName)
- 动态值是否可以用作
where语句中的数据表列名称(问题 #1)? - 动态值可以用作
matches regex语句中的右手(问题 #2)吗? - 可以创建动态自定义查询
where语句,循环动态数组(Q #3)吗? - 能否在
case语句中自定义创建计算扩展列(问题 #4)?
1) where 语句中可以使用动态值作为数据表列名吗?
Yes. Please check : https://docs.microsoft.com/en-us/azure/kusto/query/columnifexists
Example showing column_ifexists() and 'matches regex'
datatable (a:string, b:string)
['1', '2']
| where column_ifexists('a', '') matches regex '1'
2) 动态值可以用作匹配正则表达式语句中的右手吗?
To some extent. In general, only constant values are supported, so you can't use row-context (where regex will vary for each row). You can, however, use toscalar() to calculate constant regular expressions as a sub-query, and use those as an argument to 'matches regex'. https://docs.microsoft.com/en-us/azure/kusto/query/toscalarfunction
3) 可以创建动态自定义查询 where 语句,循环遍历动态数组吗?
No. Dynamic KQL queries are not supported at this moment.
4) 可以在 case 语句中自定义创建计算扩展列吗?
Yes, as long as you use techniques described in answer #1 and #2, and not running into limitations of #3.