parse-where 運算子
適用於:✅Microsoft網狀架構✅Azure 數據✅總管 Azure 監視器✅Microsoft Sentinel
評估字串表示式,並將其值剖析成一或多個匯出數據行。 結果只是成功剖析的字串。
parse-where以與剖析相同的方式剖析字串,並篩選出未成功剖析的字串。
請參閱 parse 運算符,這會針對未成功剖析的字串產生 Null。
語法
T [kind [flags=kind= regexFlags]] expression * with (stringConstant columnName [: columnType]) ... *| parse-where
深入瞭解 語法慣例。
參數
| 姓名 | 類型 | 必要 | 描述 |
|---|---|---|---|
| T | string |
✔️ | 要剖析的表格式輸入。 |
| 種類 | string |
✔️ | 其中 一個支援的種類值。 預設值是 simple。 |
| regexFlags | string |
如果 kind 為 regex,則您可以指定 regex 旗標,例如 U 用於不油、 m 多行模式、 s 比對新行 \n,以及 i 不區分大小寫。 您可以在 Flags 中找到 更多旗標。 |
|
| expression | string |
✔️ | 評估為字串的表達式。 |
| stringConstant | string |
✔️ | 要搜尋和剖析的字串常數。 |
| columnName | string |
✔️ | 要指派值的數據行名稱,從字串表達式擷取。 |
| columnType | string |
指示要將值轉換成何種型別的純量值。 預設為 string。 |
注意
- 如果您想要卸除或重新命名某些數據行,請使用 專案 。
- 在
*模式中使用 來略過垃圾郵件值。 這個值無法在數據行之後string使用。 - 除了 StringConstant 之外,剖析模式可能以 ColumnName 開頭。
- 如果剖析的運算式不是 型
string別,則會轉換成 類型string。
支援的種類值
| Text | 描述 |
|---|---|
simple |
這是預設值。 stringConstant 是一般字串值,而且比對是 strict。 所有字串分隔符號都應出現在剖析字串中,而所有擴展資料行皆必須與要求的型別相符。 |
regex |
stringConstant 可能是正則表達式,而且比對是 strict。 所有字串分隔符號 (可以是此模式的規則運算式) 都應出現在剖析字串中,而所有擴展資料行皆必須與要求的型別相符。 |
Regex 模式
在 regex 模式中,剖析會將模式轉譯為 regex 並使用 正則表達式 ,以便使用內部處理的編號擷取群組來執行比對。 例如:
parse-where kind=regex Col with * <regex1> var1:string <regex2> var2:long
內部剖析所產生的 regex 為 .*?<regex1>(.*?)<regex2>(\-\d+)。
*已轉譯為.*?。string已轉譯為.*?。long已轉譯為\-\d+。
傳回
輸入數據表,會根據提供給 運算子的數據行清單來擴充。
注意
只有成功剖析的字串才會出現在輸出中。 不符合模式的字串將會篩選掉。
範例
運算子parse-where會使用相同string運算式上的多個extract應用程式,為數據表提供簡化的方式extend。 當數據表有一個數據行包含您想要分成個別數據行的數個 string 值時,這最有用。 例如,您可以分割開發人員追蹤 (“”printf/“”Console.WriteLine) 語句所產生的數據行。
使用 parse
在下列範例中,數據表Traces的數據行EventText包含表單Event: NotifySliceRelease (resourceName={0}, totalSlices= {1}, sliceNumber={2}, lockTime={3}, releaseTime={4}, previousLockTime={5})的字串。 下列作業會將資料表擴充為六個資料列: resourceName 、、totalSlices、、releaseTimesliceNumberlockTime、、previousLockTime、、 Month和 Day。
其中一些字串沒有完整的相符專案。
使用 parse,計算結果列會有 Null。
let Traces = datatable(EventText: string)
[
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=invalid_number, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=15, lockTime=02/17/2016 08:40:00, releaseTime=invalid_datetime, previousLockTime=02/17/2016 08:39:00)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=20, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=22, lockTime=02/17/2016 08:41:01, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=invalid_number, sliceNumber=16, lockTime=02/17/2016 08:41:00, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:00)"
];
Traces
| parse EventText with * "resourceName=" resourceName ", totalSlices=" totalSlices: long * "sliceNumber=" sliceNumber: long * "lockTime=" lockTime ", releaseTime=" releaseTime: date "," * "previousLockTime=" previouLockTime: date ")" *
| project
resourceName,
totalSlices,
sliceNumber,
lockTime,
releaseTime,
previouLockTime
輸出
| resourceName | totalSlices | sliceNumber | lockTime | releaseTime | previousLockTime |
|---|---|---|---|---|---|
| PipelineScheduler | 27 | 20 | 02/17/2016 08:40:01 | 2016-02-17 08:40:01.0000000 | 2016-02-17 08:39:01.0000000 |
| PipelineScheduler | 27 | 22 | 02/17/2016 08:41:01 | 2016-02-17 08:41:00.0000000 | 2016-02-17 08:40:01.0000000 |
使用 parse-where
使用 『parse-where』 會篩選出結果中未成功剖析的字串。
let Traces = datatable(EventText: string)
[
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=invalid_number, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=15, lockTime=02/17/2016 08:40:00, releaseTime=invalid_datetime, previousLockTime=02/17/2016 08:39:00)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=20, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=22, lockTime=02/17/2016 08:41:01, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=invalid_number, sliceNumber=16, lockTime=02/17/2016 08:41:00, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:00)"
];
Traces
| parse-where EventText with * "resourceName=" resourceName ", totalSlices=" totalSlices: long * "sliceNumber=" sliceNumber: long * "lockTime=" lockTime ", releaseTime=" releaseTime: date "," * "previousLockTime=" previousLockTime: date ")" *
| project
resourceName,
totalSlices,
sliceNumber,
lockTime,
releaseTime,
previousLockTime
輸出
| resourceName | totalSlices | sliceNumber | lockTime | releaseTime | previousLockTime |
|---|---|---|---|---|---|
| PipelineScheduler | 27 | 20 | 02/17/2016 08:40:01 | 2016-02-17 08:40:01.0000000 | 2016-02-17 08:39:01.0000000 |
| PipelineScheduler | 27 | 22 | 02/17/2016 08:41:01 | 2016-02-17 08:41:00.0000000 | 2016-02-17 08:40:01.0000000 |
使用 regex 旗標的 Regex 模式
若要取得 resourceName 和 totalSlices,請使用下列查詢:
let Traces = datatable(EventText: string)
[
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=non_valid_integer, sliceNumber=11, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=15, lockTime=02/17/2016 08:40:00, releaseTime=02/17/2016 08:40:00, previousLockTime=02/17/2016 08:39:00)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=non_valid_integer, sliceNumber=44, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=22, lockTime=02/17/2016 08:41:01, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=16, lockTime=02/17/2016 08:41:00, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:00)"
];
Traces
| parse-where kind = regex EventText with * "RESOURCENAME=" resourceName "," * "totalSlices=" totalSlices: long "," *
| project resourceName, totalSlices
輸出
| resourceName | totalSlices |
|---|---|
parse-where 具有不區分大小寫的 regex 旗標
在上述查詢中,預設模式會區分大小寫,因此已成功剖析字串。 未取得任何結果。
若要取得所需的結果,請使用不區分大小寫的 (i) regex 旗標執行parse-where。
只會成功剖析三個字串,因此結果為三筆記錄(有些 totalSlices 保留無效的整數)。
let Traces = datatable(EventText: string)
[
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=non_valid_integer, sliceNumber=11, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=15, lockTime=02/17/2016 08:40:00, releaseTime=02/17/2016 08:40:00, previousLockTime=02/17/2016 08:39:00)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=non_valid_integer, sliceNumber=44, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=22, lockTime=02/17/2016 08:41:01, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=16, lockTime=02/17/2016 08:41:00, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:00)"
];
Traces
| parse-where kind = regex flags=i EventText with * "RESOURCENAME=" resourceName "," * "totalSlices=" totalSlices: long "," *
| project resourceName, totalSlices
輸出
| resourceName | totalSlices |
|---|---|
| PipelineScheduler | 27 |
| PipelineScheduler | 27 |
| PipelineScheduler | 27 |