1

我在我的 KQL 中提供一个 csv 文件作为外部数据源。我运行查询以匹配列:

Events | where Title has_any (ColumnName) | project Title, EventId

现在,我想将输出与匹配的列值连接起来。就像如果列有值: "test","test2","test3" 和 "test2" 在上面的查询中匹配,结果表应该是这样的:

Title,EventId,MatchedColumnValue

请帮忙

4

1 回答 1

2

以下是使用has_any_index()函数的方法:

let Values = dynamic(["title1", "title2", "title3"]);
let Events = datatable(EventId:int, Title:string)[1,"this is title2, and its boring", 2, "title3 is great", 3, "Nothing to find"];
Events
| extend Idx = has_any_index(Title, Values)
| extend MatchedTitle = iif(Idx<0, "", tostring(Values[Idx]))
| project-away Idx
于 2021-08-25T07:00:54.907 回答