我正在使用 Kusto 查询 azure 日志分析,并使用parse运算符提取字段,然后只保留正确解析的记录:
traces
| parse message with "Search found " people " people in " groupCount " groups"
| where people != "" and groupCount != ""
| order by n desc
是否有更简洁的方法来解析和删除不匹配的行?如果我从一组日志中解析出很多列,可能包含部分匹配,那么parse和之间的这种关联where就会变得很复杂。
相比之下,在 SumoLogic 中,parse运算符会自动删除所有与解析模式不匹配的行,这使得管道非常整洁:
*
| parse "Search found * people in * groups" as people, groupCount
| order by n desc
在 Kusto 中:“解析”运算符不会自动过滤与提供的模式不匹配的行,并且运算符在“扩展”模式下工作 - 添加更多列。如果您想过滤特定行 - 建议在 'parse' 之前使用 'where' 运算符:这也将提高性能,因为 'parse' 将扫描更少的行。
traces
| where message startswith 'Search found'
| parse message with "Search found " people " people in " groupCount " groups"
...
现在有一个内置的运算符可以执行此操作:parse-where
https://docs.microsoft.com/en-us/azure/kusto/query/parsewhereoperator
它的语法类似于parse,但会从其输出中省略任何与解析模式不匹配的记录。
所以查询:
traces
| parse message with "Search found " people " people in " groupCount " groups"
| where people != "" and groupCount != ""
| order by n desc
变成:
traces
| parse-where message with "Search found " people " people in " groupCount " groups"
| order by n desc