Data Explorer KQL 过滤和映射列表中的 JSON(动态类型)
Data Explorer KQL filtering and mapping JSONs in a list (dynamic type)
我想过滤和转换数组中的 JSON。
我有以下 table:
let fooTable = datatable(str: string, record: dynamic) [
"name1", dynamic([{"q": "foo", "type": "B1"}]),
"name2", dynamic([{"q": "bar", "type": "C1"}, {"q": "bar2", "type": "B1"}]),
"name3", dynamic([{"q": "foo", "type": "C1"}, {"q": "foo2", "type": "C1"}]),
"name4", dynamic([{"q": "foo", "type": "B1"}]),
"name5", dynamic([{"q": "b42", "type": "B1"}]),
"name6", dynamic([{"q": "f42", "type": "C1"}]),
"name7", dynamic([{"q": "foo", "type": "B1"}])
];
我想按“类型”字段过滤 JSON,并做一个小的转换。
所以假设我想用“类型”“C1”进行过滤,所以我的输出将是:
[
"name2", dynamic([{"q": "bar", "type": "C1", "qtype": "barC1"}, {"q": "bar2", "type": "B1", "qtype": "bar2B1"}]),
"name3", dynamic([{"q": "foo", "type": "C1", "qtype": "fooC1"}, {"q": "foo2", "type": "C1", "qtype": "foo2C1"}]),
"name6", dynamic([{"q": "f42", "type": "C1", "qtype": "f42C1"}
]
我尝试了以下方法:
fooTable
| mv-apply v=record on (
where v.type == "C1"
| extend r2 = pack(
"q", v.q,
"type", v.type,
"qtype", strcat(v.q, v.type))
| summarize record = make_list(r2)
)
| project str, record
但如果类型不是“C1”,它只是 returns 行中的一个空数组:
name1 []
name2 [{"q":"bar","type":"C1","qtype":"barC1"}]
name3 [{"q":"foo","type":"C1","qtype":"fooC1"},{"q":"foo2","type":"C1","qtype":"foo2C1"}]
name4 []
name5 []
name6 [{"q":"f42","type":"C1","qtype":"f42C1"}]
name7 []
我想完全过滤这些行(没有空行)。
你可以试试这个:
- 首先过滤其任何成员拥有的记录
type = C1
- 然后使用
bag_merge() 函数使用额外的 qtype 属性 扩展记录:https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/bag-merge-function
let fooTable = datatable(str: string, record: dynamic) [
"name1", dynamic([{"q": "foo", "type": "B1"}]),
"name2", dynamic([{"q": "bar", "type": "C1"}, {"q": "bar2", "type": "B1"}]),
"name3", dynamic([{"q": "foo", "type": "C1"}, {"q": "foo2", "type": "C1"}]),
"name4", dynamic([{"q": "foo", "type": "B1"}]),
"name5", dynamic([{"q": "b42", "type": "B1"}]),
"name6", dynamic([{"q": "f42", "type": "C1"}]),
"name7", dynamic([{"q": "foo", "type": "B1"}])
];
fooTable
| where tostring(record) has '"type":"C1"'
| mv-apply r = record on (
extend record = bag_merge(r, pack("qtype", strcat(r.q, r.type)))
| summarize record = make_list(record)
)
我想过滤和转换数组中的 JSON。
我有以下 table:
let fooTable = datatable(str: string, record: dynamic) [
"name1", dynamic([{"q": "foo", "type": "B1"}]),
"name2", dynamic([{"q": "bar", "type": "C1"}, {"q": "bar2", "type": "B1"}]),
"name3", dynamic([{"q": "foo", "type": "C1"}, {"q": "foo2", "type": "C1"}]),
"name4", dynamic([{"q": "foo", "type": "B1"}]),
"name5", dynamic([{"q": "b42", "type": "B1"}]),
"name6", dynamic([{"q": "f42", "type": "C1"}]),
"name7", dynamic([{"q": "foo", "type": "B1"}])
];
我想按“类型”字段过滤 JSON,并做一个小的转换。 所以假设我想用“类型”“C1”进行过滤,所以我的输出将是:
[
"name2", dynamic([{"q": "bar", "type": "C1", "qtype": "barC1"}, {"q": "bar2", "type": "B1", "qtype": "bar2B1"}]),
"name3", dynamic([{"q": "foo", "type": "C1", "qtype": "fooC1"}, {"q": "foo2", "type": "C1", "qtype": "foo2C1"}]),
"name6", dynamic([{"q": "f42", "type": "C1", "qtype": "f42C1"}
]
我尝试了以下方法:
fooTable
| mv-apply v=record on (
where v.type == "C1"
| extend r2 = pack(
"q", v.q,
"type", v.type,
"qtype", strcat(v.q, v.type))
| summarize record = make_list(r2)
)
| project str, record
但如果类型不是“C1”,它只是 returns 行中的一个空数组:
name1 []
name2 [{"q":"bar","type":"C1","qtype":"barC1"}]
name3 [{"q":"foo","type":"C1","qtype":"fooC1"},{"q":"foo2","type":"C1","qtype":"foo2C1"}]
name4 []
name5 []
name6 [{"q":"f42","type":"C1","qtype":"f42C1"}]
name7 []
我想完全过滤这些行(没有空行)。
你可以试试这个:
- 首先过滤其任何成员拥有的记录
type=C1 - 然后使用
bag_merge()函数使用额外的qtype属性 扩展记录:https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/bag-merge-function
let fooTable = datatable(str: string, record: dynamic) [
"name1", dynamic([{"q": "foo", "type": "B1"}]),
"name2", dynamic([{"q": "bar", "type": "C1"}, {"q": "bar2", "type": "B1"}]),
"name3", dynamic([{"q": "foo", "type": "C1"}, {"q": "foo2", "type": "C1"}]),
"name4", dynamic([{"q": "foo", "type": "B1"}]),
"name5", dynamic([{"q": "b42", "type": "B1"}]),
"name6", dynamic([{"q": "f42", "type": "C1"}]),
"name7", dynamic([{"q": "foo", "type": "B1"}])
];
fooTable
| where tostring(record) has '"type":"C1"'
| mv-apply r = record on (
extend record = bag_merge(r, pack("qtype", strcat(r.q, r.type)))
| summarize record = make_list(record)
)