parse-where 运算符

适用于:✅Azure 数据资源管理器Azure MonitorMicrosoft Sentinel

计算字符串表达式并将其值分析为一个或多个计算列。 得到的结果只有成功分析的字符串。

parse-where 以与 parse 相同的方式分析字符串,并筛选出未成功分析的字符串。

请参阅 parse 运算符,该运算符对未成功分析的字符串生成 null。

语法

T | parse-where [kind=kind [flags= regexFlags]] expression with * (stringConstant columnName [: columnType]) *...

详细了解语法约定

参数

客户 类型​​ 必需 说明
T string ✔️ 要分析的表格输入。
kind string ✔️ 支持的类型值之一。 默认值为 simple
regexFlags string 如果 kindregex,则可以指定要使用的正则表达式标志,例如 U 表示 ungreedy,m 表示多行模式,s 表示匹配新行 \ni 表示不区分大小写。 可以在标志中找到更多标志。
expression string ✔️ 计算结果为字符串的表达式。
stringConstant string ✔️ 要搜索和分析的字符串常量。
columnName string ✔️ 要为其赋值的列的名称(从字符串表达式中提取)。
columnType string 一个标量值,指示要将值转换为何种类型。 默认为 string

注意

  • 如果还希望删除或重命名某些列,请使用 project
  • 在模式中使用 * 可跳过垃圾值。 此值不能用在 string 列后。
  • 除 StringConstant 外,分析模式还可以 ColumnName 开头 。
  • 如果分析的表达式不是 string 类型,则会将其转换为 string 类型。

支持的类型值

文本 说明
simple 这是默认值。 stringConstant 是一个正则字符串值,匹配是严格的。 所有字符串分隔符都应出现在分析的字符串中,并且所有扩展列都必须与所需类型匹配。
regex stringConstant 可能是正则表达式,匹配是严格的。 所有字符串分隔符(对于此模式,可以是正则表达式)都应出现在分析的字符串中,并且所有扩展列都必须与所需类型匹配。

正则表达式模式

在正则表达式模式下,分析会将模式转换为正则表达式,并使用正则表达式以便使用在内部处理的已捕获的组(有编号)进行匹配。 例如:

parse-where kind=regex Col with * <regex1> var1:string <regex2> var2:long

分析过程在内部生成的正则表达式将为 .*?<regex1>(.*?)<regex2>(\-\d+)

  • * 转换为 .*?
  • string 转换为 .*?
  • long 转换为 \-\d+

返回

输入表,根据提供给运算符的列的列表进行扩展。

注意

只有成功分析的字符串才会出现在输出中。 与模式不匹配的字符串将被筛选掉。

示例

parse-where 运算符提供了一种简单的方法,可通过对同一 string 表达式使用多个 extract 应用程序来 extend 某个表。 当表中有一个 string 列,其中包含多个要分解为单独列的值时,这会非常有用。 例如,你可分解开发人员 trace ("printf"/"Console.WriteLine") 语句生成的列。

使用 parse

在下面的示例中,Traces 表的 EventText 列包含 Event: NotifySliceRelease (resourceName={0}, totalSlices= {1}, sliceNumber={2}, lockTime={3}, releaseTime={4}, previousLockTime={5}) 格式的字符串。 以下操作将用六个列扩展该表:resourceNametotalSlicessliceNumberlockTimereleaseTimepreviousLockTimeMonthDay

有一些字符串未完全匹配。

如果使用 parse,计算列将具有 null 值。

let Traces = datatable(EventText: string)
    [
    "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=invalid_number, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
    "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=15, lockTime=02/17/2016 08:40:00, releaseTime=invalid_datetime, previousLockTime=02/17/2016 08:39:00)",
    "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=20, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
    "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=22, lockTime=02/17/2016 08:41:01, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:01)",
    "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=invalid_number, sliceNumber=16, lockTime=02/17/2016 08:41:00, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:00)"
];
Traces  
| parse EventText with * "resourceName=" resourceName ", totalSlices=" totalSlices: long * "sliceNumber=" sliceNumber: long * "lockTime=" lockTime ", releaseTime=" releaseTime: date "," * "previousLockTime=" previouLockTime: date ")" *  
| project
    resourceName,
    totalSlices,
    sliceNumber,
    lockTime,
    releaseTime,
    previouLockTime

输出

resourceName totalSlices sliceNumber lockTime releaseTime previousLockTime
PipelineScheduler 27 20 02/17/2016 08:40:01 2016-02-17 08:40:01.0000000 2016-02-17 08:39:01.0000000
PipelineScheduler 27 22 02/17/2016 08:41:01 2016-02-17 08:41:00.0000000 2016-02-17 08:40:01.0000000

使用 parse-where

如果使用“parse-where”,将从结果中筛选出未成功分析的字符串。

let Traces = datatable(EventText: string)
    [
    "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=invalid_number, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
    "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=15, lockTime=02/17/2016 08:40:00, releaseTime=invalid_datetime, previousLockTime=02/17/2016 08:39:00)",
    "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=20, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
    "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=22, lockTime=02/17/2016 08:41:01, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:01)",
    "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=invalid_number, sliceNumber=16, lockTime=02/17/2016 08:41:00, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:00)"
];
Traces  
| parse-where EventText with * "resourceName=" resourceName ", totalSlices=" totalSlices: long * "sliceNumber=" sliceNumber: long * "lockTime=" lockTime ", releaseTime=" releaseTime: date "," * "previousLockTime=" previousLockTime: date ")" *  
| project
    resourceName,
    totalSlices,
    sliceNumber,
    lockTime,
    releaseTime,
    previousLockTime

输出

resourceName totalSlices sliceNumber lockTime releaseTime previousLockTime
PipelineScheduler 27 20 02/17/2016 08:40:01 2016-02-17 08:40:01.0000000 2016-02-17 08:39:01.0000000
PipelineScheduler 27 22 02/17/2016 08:41:01 2016-02-17 08:41:00.0000000 2016-02-17 08:40:01.0000000

使用正则表达式标志的正则表达式模式

若要获取 resourceName 和 totalSlices,请使用以下查询:

let Traces = datatable(EventText: string)
    [
    "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=non_valid_integer, sliceNumber=11, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
    "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=15, lockTime=02/17/2016 08:40:00, releaseTime=02/17/2016 08:40:00, previousLockTime=02/17/2016 08:39:00)",
    "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=non_valid_integer, sliceNumber=44, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
    "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=22, lockTime=02/17/2016 08:41:01, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:01)",
    "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=16, lockTime=02/17/2016 08:41:00, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:00)"
];
Traces
| parse-where kind = regex EventText with * "RESOURCENAME=" resourceName "," * "totalSlices=" totalSlices: long "," *
| project resourceName, totalSlices

输出

resourceName totalSlices

具有不区分大小写的正则表达式标志的 parse-where

在上述查询中,默认模式为区分大小写,因此字符串已成功分析。 未获得结果。

若要获取所需结果,请运行包含不区分大小写的 (i) 正则表达式标志的 parse-where

只会成功分析三个字符串,因此结果为三个记录(某些 totalSlices 包含无效整数)。

let Traces = datatable(EventText: string)
    [
    "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=non_valid_integer, sliceNumber=11, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
    "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=15, lockTime=02/17/2016 08:40:00, releaseTime=02/17/2016 08:40:00, previousLockTime=02/17/2016 08:39:00)",
    "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=non_valid_integer, sliceNumber=44, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
    "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=22, lockTime=02/17/2016 08:41:01, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:01)",
    "Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=16, lockTime=02/17/2016 08:41:00, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:00)"
];
Traces
| parse-where kind = regex flags=i EventText with * "RESOURCENAME=" resourceName "," * "totalSlices=" totalSlices: long "," *
| project resourceName, totalSlices

输出

resourceName totalSlices
PipelineScheduler 27
PipelineScheduler 27
PipelineScheduler 27