azure kql 解析函数 - 无法解析?使用正则表达式(零次或一次)
azure kql parse function - unable to parse ? using regex (zero or one time)
我正在尝试解析这一行:
01/11/1011 11:11:11: LOG SERVER = 1 URL = /one/one.aspx/ AccountId = 1111 MainId = 1111 UserAgent = Browser = Chrome , Version = 11.0, IsMobile = False, IP = 1.1.1.1 MESSAGE = sample message TRACE = 1
使用此解析语句:
parse-where kind=regex flags=i message with
timestamp:datetime
":.*LOG SERVER = " log_server:string
".*URL = " url:string
".*AccountId = " account_id:string
".*MainId = " main_id:string
".*?UserAgent = " user_agent:string
",.*Version = " version:string
",.*IsMobile = " is_mobile:string
",.*IP = " ip:string
".*MESSAGE = " event:string
".*TRACE = " trace:string
现在的问题是,有时我得到的记录缺少一个“键=值”,但其余列的顺序保持不变。
匹配我只想添加的各种行 ()?例如:
“(,。*版本=)?” version:string
但每次都失败。
我认为 parse/parse-where 运算符在输入格式正确时更有用 - 在这种情况下可能缺少的值会导致 tricky/impossible 使用这些运算符。
如果您控制输入字符串的格式,请考虑将其规范化以始终包含所有字段 and/or 在适当的地方添加分隔符和引号。
否则,您可以使用 extract 函数来解析它 - 即使某些行缺少某些字段,以下表达式也可以工作:
| extend
timestamp = extract("(.*): .*", 1, message, typeof(datetime)),
log_server = extract(".*LOG SERVER = ([^\s]*).*", 1, message),
url = extract(".*URL = ([^\s]*).*", 1, message),
main_id = extract(".*MainId = ([^\s]*).*", 1, message),
user_agent = extract(".*UserAgent = ([^,]*).*", 1, message),
version = extract(".*Version = ([^,]*).*", 1, message),
is_mobile = extract(".*IsMobile = ([^,]*).*", 1, message),
ip = extract(".*IP = ([^\s]*).*", 1, message),
event = iff(message has "TRACE", extract(".*MESSAGE = (.*) TRACE.*", 1, message), extract(".*MESSAGE = (.*)", 1, message)),
trace = extract(".*TRACE = (.*)", 1, message)
我正在尝试解析这一行:
01/11/1011 11:11:11: LOG SERVER = 1 URL = /one/one.aspx/ AccountId = 1111 MainId = 1111 UserAgent = Browser = Chrome , Version = 11.0, IsMobile = False, IP = 1.1.1.1 MESSAGE = sample message TRACE = 1
使用此解析语句:
parse-where kind=regex flags=i message with
timestamp:datetime
":.*LOG SERVER = " log_server:string
".*URL = " url:string
".*AccountId = " account_id:string
".*MainId = " main_id:string
".*?UserAgent = " user_agent:string
",.*Version = " version:string
",.*IsMobile = " is_mobile:string
",.*IP = " ip:string
".*MESSAGE = " event:string
".*TRACE = " trace:string
现在的问题是,有时我得到的记录缺少一个“键=值”,但其余列的顺序保持不变。
匹配我只想添加的各种行 (
我认为 parse/parse-where 运算符在输入格式正确时更有用 - 在这种情况下可能缺少的值会导致 tricky/impossible 使用这些运算符。
如果您控制输入字符串的格式,请考虑将其规范化以始终包含所有字段 and/or 在适当的地方添加分隔符和引号。
否则,您可以使用 extract 函数来解析它 - 即使某些行缺少某些字段,以下表达式也可以工作:
| extend
timestamp = extract("(.*): .*", 1, message, typeof(datetime)),
log_server = extract(".*LOG SERVER = ([^\s]*).*", 1, message),
url = extract(".*URL = ([^\s]*).*", 1, message),
main_id = extract(".*MainId = ([^\s]*).*", 1, message),
user_agent = extract(".*UserAgent = ([^,]*).*", 1, message),
version = extract(".*Version = ([^,]*).*", 1, message),
is_mobile = extract(".*IsMobile = ([^,]*).*", 1, message),
ip = extract(".*IP = ([^\s]*).*", 1, message),
event = iff(message has "TRACE", extract(".*MESSAGE = (.*) TRACE.*", 1, message), extract(".*MESSAGE = (.*)", 1, message)),
trace = extract(".*TRACE = (.*)", 1, message)