我正在绞尽脑汁,希望得到一些帮助。:)
我想知道如何使用通配符(*)来连接联合参数。
我需要在字段中连接两个具有相同名称的表,但是,有些字段可能带有通配符(*),因为对于这个字段,我希望所有字段都被验证。
我的异常表:
let table_excep= datatable (Computer:string,Event_id:string, logon_type:string)
[
"Pc_01","*","4",
"Pc_02","4648","*",
"*","*","60"
];
My data table:
let table_windows= datatable (Computer:string,Event_id:string, logon_type:string)
[
"Pc_01","5059","4",
"Pc_02","4648","1",
"Pc_03","61","60"
];
当运行时,它不会带来任何结果。
对于这个联合,我希望考虑3个联合字段,即基于异常表,如果computer_name为Pc_01, logon_type为4,无论event_id是什么,都应该显示此日志,因为例外列表中eventi_id的字段是通配符(*)。
我没有找到解决这个问题的方法,因为连接条件只允许"=="one_answers",这样,.
cross join (inner join on 1=1) + where
let table_excep= datatable (Computer:string,Event_id:string, logon_type:string)
[
"Pc_01","*","4",
"Pc_02","4648","*",
"*","*","60"
];
let table_windows= datatable (Computer:string,Event_id:string, logon_type:string)
[
"Pc_01","5059","4",
"Pc_02","4648","1",
"Pc_03","61","60"
];
table_excep | extend dummy = 1
| join kind=inner (table_windows | extend dummy = 1) on dummy
| where (Computer == Computer1 or Computer == '*')
and (Event_id == Event_id1 or Event_id == '*')
and (logon_type == logon_type1 or logon_type == '*')
<表类><>电脑Event_id logon_type 假 Computer1上 Event_id1 logon_type1 dummy1 tbody><<tr>Pc_01 * 4 1 Pc_01 5059 4 1 Pc_02 4648 * 1 Pc_02 4648 1 1 * * 60 1 Pc_03 61 60 1