0

我正在尝试使用解析运算符将数据解析到各自的字段中。似乎数据只能在一次性正则表达式模式之间解析,但我需要将模式捕获到变量中。到目前为止,我有以下查询:

let Traces = datatable(EventText:string)
[
    '2021-10-04T20:43:03,174    2511 INFO cd060096-c6c4-4ddf-b9f7-5795f6d04514 c2a42807-6ab3-41bb-8d72-1c48f2213c31 iTKTS Fiona (ABSDEF) () () () ITKTSUtil - <ProductFulfillmentResponse>U2028  <errorStatus>UNPROCESSED</errorStatus>U2028  <errorCode>GEN_ERR</errorCode>U2028  <errorDescription>WARNING - UNPROCESSED DUE TO OTHER ERRORS</errorDescription>U2028  <customerDocuments>U2028    <errorDescription>WARNING - UNPROCESSED DUE TO OTHER ERRORS</errorDescription>U2028    <itemFulfillmentInfos>U2028      <errorDescription>WARNING - UNPROCESSED DUE TO OTHER ERRORS</errorDescription>U2028    </itemFulfillmentInfos>U2028  </customerDocuments>U2028</ProductFulfillmentResponse>U2028'
];
Traces  
| parse kind = regex EventText with _timestamp ",\\d{3} " _threadid " " _logLevel " " _clientTransactionId " " _appTransactionId " " _appService " " _bigeazy " \\(" _recordLocator "\\) \\(" _status "\\) \\(" _responseTime "\\) \\(" _serviceName "\\) " _className " - " _message
| project _className, _message

我需要_className匹配“ITKTSUtil”。默认情况下,变量匹配模式(.*?)。如果我将其更改为_className:long与模式匹配(\-\d+)。但我需要它来匹配模式//w*,然后被捕获到变量_className中。KQL 可以做到这一点吗?

4

1 回答 1

3

请尝试以下方法:

let Traces = datatable(EventText:string)
[
    '2021-10-04T20:43:03,174    2511 INFO cd060096-c6c4-4ddf-b9f7-5795f6d04514 c2a42807-6ab3-41bb-8d72-1c48f2213c31 iTKTS Fiona (ABSDEF) () () () ITKTSUtil - <ProductFulfillmentResponse>U2028  <errorStatus>UNPROCESSED</errorStatus>U2028  <errorCode>GEN_ERR</errorCode>U2028  <errorDescription>WARNING - UNPROCESSED DUE TO OTHER ERRORS</errorDescription>U2028  <customerDocuments>U2028    <errorDescription>WARNING - UNPROCESSED DUE TO OTHER ERRORS</errorDescription>U2028    <itemFulfillmentInfos>U2028      <errorDescription>WARNING - UNPROCESSED DUE TO OTHER ERRORS</errorDescription>U2028    </itemFulfillmentInfos>U2028  </customerDocuments>U2028</ProductFulfillmentResponse>U2028'
];
Traces  
| parse kind = regex flags=U EventText with _timestamp ",\\d{3} " _threadid " " _logLevel " " _clientTransactionId " " _appTransactionId " " _appService " " _bigeazy " \\(" _recordLocator "\\) \\(" _status "\\) \\(" _responseTime "\\) \\(" _serviceName "\\) " _className " - " _message "$"
| project _className, _message

主要思想是使用解析正则表达式模式的标志(使用正则表达式标志 U,这意味着不贪婪,以便仅匹配所需的字段,并添加“$”以要求解析正则表达式模式执行完全匹配)。

请注意,如果您事先知道您的模式,建议使用解析简单模式,该模式要快得多。

于 2021-10-05T12:26:55.083 回答