Kusto - 将自定义正则表达式分配给解析运算符中的变量
Kusto - Assign Custom Regex To Variable in the Parse Operator
我正在尝试使用 parse operator 将数据解析到各自的字段中。似乎数据只能在一次性正则表达式模式之间解析,但我需要将模式捕获到变量中。到目前为止,我有以下查询:
let Traces = datatable(EventText:string)
[
'2021-10-04T20:43:03,174 2511 INFO cd060096-c6c4-4ddf-b9f7-5795f6d04514 c2a42807-6ab3-41bb-8d72-1c48f2213c31 iTKTS Fiona (ABSDEF) () () () ITKTSUtil - <ProductFulfillmentResponse>U2028 <errorStatus>UNPROCESSED</errorStatus>U2028 <errorCode>GEN_ERR</errorCode>U2028 <errorDescription>WARNING - UNPROCESSED DUE TO OTHER ERRORS</errorDescription>U2028 <customerDocuments>U2028 <errorDescription>WARNING - UNPROCESSED DUE TO OTHER ERRORS</errorDescription>U2028 <itemFulfillmentInfos>U2028 <errorDescription>WARNING - UNPROCESSED DUE TO OTHER ERRORS</errorDescription>U2028 </itemFulfillmentInfos>U2028 </customerDocuments>U2028</ProductFulfillmentResponse>U2028'
];
Traces
| parse kind = regex EventText with _timestamp ",\d{3} " _threadid " " _logLevel " " _clientTransactionId " " _appTransactionId " " _appService " " _bigeazy " \(" _recordLocator "\) \(" _status "\) \(" _responseTime "\) \(" _serviceName "\) " _className " - " _message
| project _className, _message
我需要 _className 来匹配“ITKTSUtil”。默认情况下,变量匹配模式 (.*?)。如果我将其更改为 _className:long,它将匹配模式 (\-\d+)。但是我需要它匹配模式 //w* 然后被捕获到变量 _className 中。这可以用 KQL 实现吗?
请尝试以下方法:
let Traces = datatable(EventText:string)
[
'2021-10-04T20:43:03,174 2511 INFO cd060096-c6c4-4ddf-b9f7-5795f6d04514 c2a42807-6ab3-41bb-8d72-1c48f2213c31 iTKTS Fiona (ABSDEF) () () () ITKTSUtil - <ProductFulfillmentResponse>U2028 <errorStatus>UNPROCESSED</errorStatus>U2028 <errorCode>GEN_ERR</errorCode>U2028 <errorDescription>WARNING - UNPROCESSED DUE TO OTHER ERRORS</errorDescription>U2028 <customerDocuments>U2028 <errorDescription>WARNING - UNPROCESSED DUE TO OTHER ERRORS</errorDescription>U2028 <itemFulfillmentInfos>U2028 <errorDescription>WARNING - UNPROCESSED DUE TO OTHER ERRORS</errorDescription>U2028 </itemFulfillmentInfos>U2028 </customerDocuments>U2028</ProductFulfillmentResponse>U2028'
];
Traces
| parse kind = regex flags=U EventText with _timestamp ",\d{3} " _threadid " " _logLevel " " _clientTransactionId " " _appTransactionId " " _appService " " _bigeazy " \(" _recordLocator "\) \(" _status "\) \(" _responseTime "\) \(" _serviceName "\) " _className " - " _message "$"
| project _className, _message
主要思想是使用解析正则表达式模式的标志(使用正则表达式标志 U,这意味着不贪婪,以便仅匹配所需的字段,并添加“$”以要求解析正则表达式模式执行完整匹配)。
请注意,如果您事先知道模式,建议使用更快的解析简单模式。
我正在尝试使用 parse operator 将数据解析到各自的字段中。似乎数据只能在一次性正则表达式模式之间解析,但我需要将模式捕获到变量中。到目前为止,我有以下查询:
let Traces = datatable(EventText:string)
[
'2021-10-04T20:43:03,174 2511 INFO cd060096-c6c4-4ddf-b9f7-5795f6d04514 c2a42807-6ab3-41bb-8d72-1c48f2213c31 iTKTS Fiona (ABSDEF) () () () ITKTSUtil - <ProductFulfillmentResponse>U2028 <errorStatus>UNPROCESSED</errorStatus>U2028 <errorCode>GEN_ERR</errorCode>U2028 <errorDescription>WARNING - UNPROCESSED DUE TO OTHER ERRORS</errorDescription>U2028 <customerDocuments>U2028 <errorDescription>WARNING - UNPROCESSED DUE TO OTHER ERRORS</errorDescription>U2028 <itemFulfillmentInfos>U2028 <errorDescription>WARNING - UNPROCESSED DUE TO OTHER ERRORS</errorDescription>U2028 </itemFulfillmentInfos>U2028 </customerDocuments>U2028</ProductFulfillmentResponse>U2028'
];
Traces
| parse kind = regex EventText with _timestamp ",\d{3} " _threadid " " _logLevel " " _clientTransactionId " " _appTransactionId " " _appService " " _bigeazy " \(" _recordLocator "\) \(" _status "\) \(" _responseTime "\) \(" _serviceName "\) " _className " - " _message
| project _className, _message
我需要 _className 来匹配“ITKTSUtil”。默认情况下,变量匹配模式 (.*?)。如果我将其更改为 _className:long,它将匹配模式 (\-\d+)。但是我需要它匹配模式 //w* 然后被捕获到变量 _className 中。这可以用 KQL 实现吗?
请尝试以下方法:
let Traces = datatable(EventText:string)
[
'2021-10-04T20:43:03,174 2511 INFO cd060096-c6c4-4ddf-b9f7-5795f6d04514 c2a42807-6ab3-41bb-8d72-1c48f2213c31 iTKTS Fiona (ABSDEF) () () () ITKTSUtil - <ProductFulfillmentResponse>U2028 <errorStatus>UNPROCESSED</errorStatus>U2028 <errorCode>GEN_ERR</errorCode>U2028 <errorDescription>WARNING - UNPROCESSED DUE TO OTHER ERRORS</errorDescription>U2028 <customerDocuments>U2028 <errorDescription>WARNING - UNPROCESSED DUE TO OTHER ERRORS</errorDescription>U2028 <itemFulfillmentInfos>U2028 <errorDescription>WARNING - UNPROCESSED DUE TO OTHER ERRORS</errorDescription>U2028 </itemFulfillmentInfos>U2028 </customerDocuments>U2028</ProductFulfillmentResponse>U2028'
];
Traces
| parse kind = regex flags=U EventText with _timestamp ",\d{3} " _threadid " " _logLevel " " _clientTransactionId " " _appTransactionId " " _appService " " _bigeazy " \(" _recordLocator "\) \(" _status "\) \(" _responseTime "\) \(" _serviceName "\) " _className " - " _message "$"
| project _className, _message
主要思想是使用解析正则表达式模式的标志(使用正则表达式标志 U,这意味着不贪婪,以便仅匹配所需的字段,并添加“$”以要求解析正则表达式模式执行完整匹配)。
请注意,如果您事先知道模式,建议使用更快的解析简单模式。