2

我为此绞尽脑汁,希望得到一些帮助。:)

我想知道如何将通配符(*)用于加入联合参数。

我需要在字段中加入两个具有相同名称的表,但是,某些字段可能带有通配符(*),因为对于这个字段,我希望所有字段都经过验证。

我的例外表:

let table_excep=  datatable (Computer:string,Event_id:string, logon_type:string) 
[
"Pc_01","*","4", 
"Pc_02","4648","*", 
"*","*","60" 
];

我的数据表:

let table_windows=  datatable (Computer:string,Event_id:string, logon_type:string)
[ 
"Pc_01","5059","4",
"Pc_02","4648","1",
"Pc_03","61","60"
]; 

运行时,它不会带来任何结果。

对于这个联合,我想考虑3个联合字段,即基于异常表,如果computer_name是Pc_01,logon_type是4,不管event_id是什么,都应该显示这个日志,因为异常中的eventi_id字段列表是通配符(*)。

我没有找到解决这个问题的方法,因为连接条件只允许“==”和“and”。

4

1 回答 1

0

交叉连接(1=1 上的内连接)+ where

let table_excep=  datatable (Computer:string,Event_id:string, logon_type:string) 
[
"Pc_01","*","4", 
"Pc_02","4648","*", 
"*","*","60" 
];
let table_windows=  datatable (Computer:string,Event_id:string, logon_type:string)
[ 
"Pc_01","5059","4",
"Pc_02","4648","1",
"Pc_03","61","60"
]; 
table_excep | extend dummy = 1 
| join kind=inner (table_windows | extend dummy = 1) on dummy 
| where     (Computer == Computer1 or Computer == '*') 
        and (Event_id == Event_id1 or Event_id == '*')
        and (logon_type == logon_type1 or logon_type == '*')
计算机 Event_id 登录类型 电脑1 事件_id1 登录类型1 假人1
个人电脑_01 * 4 1 个人电脑_01 5059 4 1
个人电脑_02 4648 * 1 个人电脑_02 4648 1 1
* * 60 1 个人电脑_03 61 60 1

小提琴

于 2022-02-26T09:07:35.860 回答