如何在 kusto 查询中使用正则表达式

How to use Regex in kusto query

所以我有一个像这样的 Kusto 查询

exceptions
| extend A_= tostring(customDimensions.A)
| where A_ in~ ("Could not get notes: From:", "failed to call", "Custom conference list" )
// | where A_ contains 'Could not get notes: From:' //This is working when I use "contains" operator but fails to check below 2 items when the first item doesn't exist
// | where A_ contains 'Custom conference list'
// | where A_ contains 'failed to call'

列表中的第一项是“Could not get notes: From:”,它在字符串末尾有多个 ID

例如;

无法获取注释:发件人:abcd

无法获取注释:来自:abcdef

我想做的是获取所有以“Could not get notes: From:”开头的项目,并在“in~”运算符中使用它们。

到目前为止,我已尝试使用如下所示的包含运算符

|where A_ contains 'Could not get notes: From:' // This seems to be working as it will outputting every item that starts with "Could not get notes: From:" but when I am trying to use it in the "in~" it is failing.

对每个唯一项目使用“包含”运算符的问题是,如果任何项目(比如 3 个项目)不存在,查询 returns 没有结果,即使 2 个项目仍然存在.

不确定是否有更好的解决方案。

您应该改用 has_any

exceptions
| extend A_= tostring(customDimensions.A)
| where A_ has_any ("Could not get notes: From:", "failed to call", "Custom conference list")

另外,注意contains明显比has/has_any慢,因为后者使用索引只获取相关记录,而contains扫描所有记录。但是请注意,两者之间存在语义差异:contains 查找子字符串,而 has 仅查找完整标记。例如,"hello world" contains "hell" 将 return true,而 "hello world" has "hell" 将 return false。在 String Operators 文档中查看更多信息。