我有一个返回域名列表的第一个KQL查询,然后我想使用这些查询来过滤另一个KQL查询。我只是不知道用什么语法来做。是否有一种方法可以在KQL中使用包含()操作符和for循环/迭代?
KQL查询1
let hostnames = () {
AllDomains
| where hostname !contains "default.com" and hostname != ""
| distinct hostname
}
KQL - Query 2
let start_date = ago(10m);
let end_date = now();
LogEvents
| where env_time between (start_date .. end_date)
| where headers contains "X-Forwarded-For"
| where queryString contains (hostnames()) //This is what is needed to filter on all the domains from first query.
| project queryString
可以这样做:
let hostnames =
AllDomains
| where isnotempty(hostname) and hostname !has "default.com"
| distinct hostname
;
let start_date = ago(10m);
let end_date = now();
LogEvents
| where env_time between (start_date .. end_date)
| where headers contains "X-Forwarded-For"
| where queryString has_any (hostnames)
| project queryString
如果你能提供一个你的数据看起来和你想要完成的东西的样本会更好,但我认为你会想要使用has_any而不是contains