如何在 kusto 查询中使用正则表达式
How to use Regex in kusto query
所以我有一个像这样的 Kusto 查询
exceptions
| extend A_= tostring(customDimensions.A)
| where A_ in~ ("Could not get notes: From:", "failed to call", "Custom conference list" )
// | where A_ contains 'Could not get notes: From:' //This is working when I use "contains" operator but fails to check below 2 items when the first item doesn't exist
// | where A_ contains 'Custom conference list'
// | where A_ contains 'failed to call'
列表中的第一项是“Could not get notes: From:”,它在字符串末尾有多个 ID
例如;
无法获取注释:发件人:abcd
无法获取注释:来自:abcdef
我想做的是获取所有以“Could not get notes: From:”开头的项目,并在“in~”运算符中使用它们。
到目前为止,我已尝试使用如下所示的包含运算符
|where A_ contains 'Could not get notes: From:' // This seems to be working as it will outputting every item that starts with "Could not get notes: From:" but when I am trying to use it in the "in~" it is failing.
对每个唯一项目使用“包含”运算符的问题是,如果任何项目(比如 3 个项目)不存在,查询 returns 没有结果,即使 2 个项目仍然存在.
不确定是否有更好的解决方案。
您应该改用 has_any
:
exceptions
| extend A_= tostring(customDimensions.A)
| where A_ has_any ("Could not get notes: From:", "failed to call", "Custom conference list")
另外,注意contains
明显比has
/has_any
慢,因为后者使用索引只获取相关记录,而contains
扫描所有记录。但是请注意,两者之间存在语义差异:contains
查找子字符串,而 has
仅查找完整标记。例如,"hello world" contains "hell"
将 return true
,而 "hello world" has "hell"
将 return false
。在 String Operators 文档中查看更多信息。
所以我有一个像这样的 Kusto 查询
exceptions
| extend A_= tostring(customDimensions.A)
| where A_ in~ ("Could not get notes: From:", "failed to call", "Custom conference list" )
// | where A_ contains 'Could not get notes: From:' //This is working when I use "contains" operator but fails to check below 2 items when the first item doesn't exist
// | where A_ contains 'Custom conference list'
// | where A_ contains 'failed to call'
列表中的第一项是“Could not get notes: From:”,它在字符串末尾有多个 ID
例如;
无法获取注释:发件人:abcd
无法获取注释:来自:abcdef
我想做的是获取所有以“Could not get notes: From:”开头的项目,并在“in~”运算符中使用它们。
到目前为止,我已尝试使用如下所示的包含运算符
|where A_ contains 'Could not get notes: From:' // This seems to be working as it will outputting every item that starts with "Could not get notes: From:" but when I am trying to use it in the "in~" it is failing.
对每个唯一项目使用“包含”运算符的问题是,如果任何项目(比如 3 个项目)不存在,查询 returns 没有结果,即使 2 个项目仍然存在.
不确定是否有更好的解决方案。
您应该改用 has_any
:
exceptions
| extend A_= tostring(customDimensions.A)
| where A_ has_any ("Could not get notes: From:", "failed to call", "Custom conference list")
另外,注意contains
明显比has
/has_any
慢,因为后者使用索引只获取相关记录,而contains
扫描所有记录。但是请注意,两者之间存在语义差异:contains
查找子字符串,而 has
仅查找完整标记。例如,"hello world" contains "hell"
将 return true
,而 "hello world" has "hell"
将 return false
。在 String Operators 文档中查看更多信息。