使用 KQL 中的可重用函数将一列拆分为多列
Splitting one column into multiple columns with a re-usable function in KQL
我是 KQL 的新手,我可能对我用来解决这个问题的方法有完全错误的想法,所以请随时提出更好的方法,但我会尽力解释我的想法正在努力实现。
我正在使用许多不同的查询来查询特定的数据集,但关于它的一个一致的事情是其中一列需要从疯狂的文本字段解析为多列。
原始数据的列是诸如“Computer”、“User”之类的东西,然后是一个像这样的大字符串字段:
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=23, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)"
所以我定义了一个函数(当函数中没有 运行 时可以工作)将该字符串列解析为多个字符串列:
Let parseEventData = (EventData:string){
EventData
| parse EventText with * "resourceName=" resourceName ", totalSlices=" totalSlices:long * "sliceNumber=" sliceNumber:long * "lockTime=" lockTime ", releaseTime=" releaseTime:date "," * "previousLockTime=" previousLockTime:date ")" *
| project resourceName, totalSlices, sliceNumber, lockTime, releaseTime, previousLockTime
}
所以现在我想输出一个新的 table,它是 "Computer","User","resourceName", "totalSlices", "sliceNumber", "lockTime", "releaseTime", "previousLockTime “
例如原来的 table 但此列已被解析。
我试过类似的东西:
Events
| where parameter == "blah"
| project name,computer,parseEventData(EventData)
但是会报错
Operator source expression should be table or column
有没有办法像这样将 table 添加到 2 个现有列,或者我找错树了?
注:
如果我根本不使用函数而只是使用另一个管道并在那里进行解析,这确实有效。问题是我将对我所做的几乎每个查询都使用这种类型的解析,我觉得每次都写出整个东西可能真的很混乱/很耗时!希望一切都有意义。
谢谢:)
你可以试试这个:
let EventData = datatable(Computer:string, User:string, EventText:string)
[
"C1", "U1", "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=23, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)"
];
let parseEventData = (T:(EventText:string)) {
T
| parse EventText with * "resourceName=" resourceName ", totalSlices=" totalSlices:long * "sliceNumber=" sliceNumber:long * "lockTime=" lockTime ", releaseTime=" releaseTime:date "," * "previousLockTime=" previousLockTime:date ")" *
| extend resourceName, totalSlices, sliceNumber, lockTime, releaseTime, previousLockTime
| project-away EventText
};
parseEventData(EventData)
Computer
User
resourceName
totalSlices
sliceNumber
lockTime
releaseTime
previousLockTime
C1
U1
PipelineScheduler
27
23
02/17/2016 08:40:01
2016-02-17 08:40:01.0000000
2016-02-17 08:39:01.0000000
或者,您可以使用 invoke 运算符,如下所示:
EventData
| where <condition>
| invoke parseEventData()
我是 KQL 的新手,我可能对我用来解决这个问题的方法有完全错误的想法,所以请随时提出更好的方法,但我会尽力解释我的想法正在努力实现。
我正在使用许多不同的查询来查询特定的数据集,但关于它的一个一致的事情是其中一列需要从疯狂的文本字段解析为多列。
原始数据的列是诸如“Computer”、“User”之类的东西,然后是一个像这样的大字符串字段:
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=23, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)"
所以我定义了一个函数(当函数中没有 运行 时可以工作)将该字符串列解析为多个字符串列:
Let parseEventData = (EventData:string){
EventData
| parse EventText with * "resourceName=" resourceName ", totalSlices=" totalSlices:long * "sliceNumber=" sliceNumber:long * "lockTime=" lockTime ", releaseTime=" releaseTime:date "," * "previousLockTime=" previousLockTime:date ")" *
| project resourceName, totalSlices, sliceNumber, lockTime, releaseTime, previousLockTime
}
所以现在我想输出一个新的 table,它是 "Computer","User","resourceName", "totalSlices", "sliceNumber", "lockTime", "releaseTime", "previousLockTime “ 例如原来的 table 但此列已被解析。
我试过类似的东西:
Events
| where parameter == "blah"
| project name,computer,parseEventData(EventData)
但是会报错
Operator source expression should be table or column
有没有办法像这样将 table 添加到 2 个现有列,或者我找错树了?
注:
如果我根本不使用函数而只是使用另一个管道并在那里进行解析,这确实有效。问题是我将对我所做的几乎每个查询都使用这种类型的解析,我觉得每次都写出整个东西可能真的很混乱/很耗时!希望一切都有意义。
谢谢:)
你可以试试这个:
let EventData = datatable(Computer:string, User:string, EventText:string)
[
"C1", "U1", "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=23, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)"
];
let parseEventData = (T:(EventText:string)) {
T
| parse EventText with * "resourceName=" resourceName ", totalSlices=" totalSlices:long * "sliceNumber=" sliceNumber:long * "lockTime=" lockTime ", releaseTime=" releaseTime:date "," * "previousLockTime=" previousLockTime:date ")" *
| extend resourceName, totalSlices, sliceNumber, lockTime, releaseTime, previousLockTime
| project-away EventText
};
parseEventData(EventData)
| Computer | User | resourceName | totalSlices | sliceNumber | lockTime | releaseTime | previousLockTime |
|---|---|---|---|---|---|---|---|
| C1 | U1 | PipelineScheduler | 27 | 23 | 02/17/2016 08:40:01 | 2016-02-17 08:40:01.0000000 | 2016-02-17 08:39:01.0000000 |
或者,您可以使用 invoke 运算符,如下所示:
EventData
| where <condition>
| invoke parseEventData()