你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
parse-where 运算符
适用于:✅Microsoft Fabric✅Azure 数据资源管理器Azure Monitor✅Microsoft✅ Sentinel
计算字符串表达式并将其值分析为一个或多个计算列。 得到的结果只有成功分析的字符串。
parse-where 以与 parse 相同的方式分析字符串,并筛选出未成功分析的字符串。
请参阅 parse 运算符,该运算符对未成功分析的字符串生成 null。
语法
T | parse-where [kind=kind [flags= regexFlags]] expression with * (stringConstant columnName [: columnType]) *...
详细了解语法约定。
参数
| 客户 | 类型 | 必需 | 说明 |
|---|---|---|---|
| T | string |
✔️ | 要分析的表格输入。 |
| kind | string |
✔️ | 支持的类型值之一。 默认值为 simple。 |
| regexFlags | string |
如果 kind 为 regex,则可以指定要使用的正则表达式标志,例如 U 表示 ungreedy,m 表示多行模式,s 表示匹配新行 \n,i 表示不区分大小写。 可以在标志中找到更多标志。 |
|
| expression | string |
✔️ | 计算结果为字符串的表达式。 |
| stringConstant | string |
✔️ | 要搜索和分析的字符串常量。 |
| columnName | string |
✔️ | 要为其赋值的列的名称(从字符串表达式中提取)。 |
| columnType | string |
一个标量值,指示要将值转换为何种类型。 默认为 string。 |
注意
- 如果还希望删除或重命名某些列,请使用 project。
- 在模式中使用
*可跳过垃圾值。 此值不能用在string列后。 - 除 StringConstant 外,分析模式还可以 ColumnName 开头 。
- 如果分析的表达式不是
string类型,则会将其转换为string类型。
支持的类型值
| 文本 | 说明 |
|---|---|
simple |
这是默认值。 stringConstant 是一个正则字符串值,匹配是严格的。 所有字符串分隔符都应出现在分析的字符串中,并且所有扩展列都必须与所需类型匹配。 |
regex |
stringConstant 可能是正则表达式,匹配是严格的。 所有字符串分隔符(对于此模式,可以是正则表达式)都应出现在分析的字符串中,并且所有扩展列都必须与所需类型匹配。 |
正则表达式模式
在正则表达式模式下,分析会将模式转换为正则表达式,并使用正则表达式以便使用在内部处理的已捕获的组(有编号)进行匹配。 例如:
parse-where kind=regex Col with * <regex1> var1:string <regex2> var2:long
分析过程在内部生成的正则表达式将为 .*?<regex1>(.*?)<regex2>(\-\d+)。
*转换为.*?。string转换为.*?。long转换为\-\d+。
返回
输入表,根据提供给运算符的列的列表进行扩展。
注意
只有成功分析的字符串才会出现在输出中。 与模式不匹配的字符串将被筛选掉。
示例
parse-where 运算符提供了一种简单的方法,可通过对同一 string 表达式使用多个 extract 应用程序来 extend 某个表。 当表中有一个 string 列,其中包含多个要分解为单独列的值时,这会非常有用。 例如,你可分解开发人员 trace ("printf"/"Console.WriteLine") 语句生成的列。
使用 parse
在下面的示例中,Traces 表的 EventText 列包含 Event: NotifySliceRelease (resourceName={0}, totalSlices= {1}, sliceNumber={2}, lockTime={3}, releaseTime={4}, previousLockTime={5}) 格式的字符串。 以下操作将用六个列扩展该表:resourceName、totalSlices、sliceNumber、lockTime、releaseTime、previousLockTime、Month 和 Day。
有一些字符串未完全匹配。
如果使用 parse,计算列将具有 null 值。
let Traces = datatable(EventText: string)
[
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=invalid_number, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=15, lockTime=02/17/2016 08:40:00, releaseTime=invalid_datetime, previousLockTime=02/17/2016 08:39:00)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=20, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=22, lockTime=02/17/2016 08:41:01, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=invalid_number, sliceNumber=16, lockTime=02/17/2016 08:41:00, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:00)"
];
Traces
| parse EventText with * "resourceName=" resourceName ", totalSlices=" totalSlices: long * "sliceNumber=" sliceNumber: long * "lockTime=" lockTime ", releaseTime=" releaseTime: date "," * "previousLockTime=" previouLockTime: date ")" *
| project
resourceName,
totalSlices,
sliceNumber,
lockTime,
releaseTime,
previouLockTime
输出
| resourceName | totalSlices | sliceNumber | lockTime | releaseTime | previousLockTime |
|---|---|---|---|---|---|
| PipelineScheduler | 27 | 20 | 02/17/2016 08:40:01 | 2016-02-17 08:40:01.0000000 | 2016-02-17 08:39:01.0000000 |
| PipelineScheduler | 27 | 22 | 02/17/2016 08:41:01 | 2016-02-17 08:41:00.0000000 | 2016-02-17 08:40:01.0000000 |
使用 parse-where
如果使用“parse-where”,将从结果中筛选出未成功分析的字符串。
let Traces = datatable(EventText: string)
[
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=invalid_number, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=15, lockTime=02/17/2016 08:40:00, releaseTime=invalid_datetime, previousLockTime=02/17/2016 08:39:00)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=20, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=22, lockTime=02/17/2016 08:41:01, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=invalid_number, sliceNumber=16, lockTime=02/17/2016 08:41:00, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:00)"
];
Traces
| parse-where EventText with * "resourceName=" resourceName ", totalSlices=" totalSlices: long * "sliceNumber=" sliceNumber: long * "lockTime=" lockTime ", releaseTime=" releaseTime: date "," * "previousLockTime=" previousLockTime: date ")" *
| project
resourceName,
totalSlices,
sliceNumber,
lockTime,
releaseTime,
previousLockTime
输出
| resourceName | totalSlices | sliceNumber | lockTime | releaseTime | previousLockTime |
|---|---|---|---|---|---|
| PipelineScheduler | 27 | 20 | 02/17/2016 08:40:01 | 2016-02-17 08:40:01.0000000 | 2016-02-17 08:39:01.0000000 |
| PipelineScheduler | 27 | 22 | 02/17/2016 08:41:01 | 2016-02-17 08:41:00.0000000 | 2016-02-17 08:40:01.0000000 |
使用正则表达式标志的正则表达式模式
若要获取 resourceName 和 totalSlices,请使用以下查询:
let Traces = datatable(EventText: string)
[
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=non_valid_integer, sliceNumber=11, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=15, lockTime=02/17/2016 08:40:00, releaseTime=02/17/2016 08:40:00, previousLockTime=02/17/2016 08:39:00)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=non_valid_integer, sliceNumber=44, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=22, lockTime=02/17/2016 08:41:01, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=16, lockTime=02/17/2016 08:41:00, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:00)"
];
Traces
| parse-where kind = regex EventText with * "RESOURCENAME=" resourceName "," * "totalSlices=" totalSlices: long "," *
| project resourceName, totalSlices
输出
| resourceName | totalSlices |
|---|---|
具有不区分大小写的正则表达式标志的 parse-where
在上述查询中,默认模式为区分大小写,因此字符串已成功分析。 未获得结果。
若要获取所需结果,请运行包含不区分大小写的 (i) 正则表达式标志的 parse-where。
只会成功分析三个字符串,因此结果为三个记录(某些 totalSlices 包含无效整数)。
let Traces = datatable(EventText: string)
[
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=non_valid_integer, sliceNumber=11, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=15, lockTime=02/17/2016 08:40:00, releaseTime=02/17/2016 08:40:00, previousLockTime=02/17/2016 08:39:00)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=non_valid_integer, sliceNumber=44, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=22, lockTime=02/17/2016 08:41:01, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=16, lockTime=02/17/2016 08:41:00, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:00)"
];
Traces
| parse-where kind = regex flags=i EventText with * "RESOURCENAME=" resourceName "," * "totalSlices=" totalSlices: long "," *
| project resourceName, totalSlices
输出
| resourceName | totalSlices |
|---|---|
| PipelineScheduler | 27 |
| PipelineScheduler | 27 |
| PipelineScheduler | 27 |