我现在有这个正则表达式:
?P<key>w+)=(?P<value>[a-zA-Z0-9-_:/@. ]+
输入行1:event=1921;json={"source":"A","location":B":"folder":"c:\windows\system32"},"id":2,"address":null,"name":"gone";
输入行2:dev=b;json={"dest":"123","home":AZ":"loc":"sys"},"ab":9,"home":null,"someKey":"someValue";
它正确提取了"event=1921;"但是它提取了另外两种类型
- 我如何使用键(JSON)和值提取
"json={...}"? - 我如何使用键(名称)和值(消失)提取
"name":"gone"?解决方案需要是动态的,因为关键字段将在其他行中被不同地命名。
您应该能够使用parse操作符:https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/parseoperator
例如:
print input = 'event=1921;json={"source":"A","location":B":"folder":"c:\windows\system32"},"id":2,"address":null,"name":"gone";'
| parse input with * "json=" json:dynamic ',"id"' * '"name":"' name '"' *
如果您的有效负载/属性名称完全是动态的,则:
。我建议您评估您的选择,以标准格式构建源数据(目前,甚至是"json";部分无效JSON)
b。您可以尝试以下操作-功能强大,但效率非常低(不建议用于大规模数据处理)
datatable(input:string)
[
'event=1921;json={"source":"A","location":B":"folder":"c:\windows\system32"},"id":2,"address":null,"name":"gone";',
'dev=b;json={"dest":"123","home":AZ":"loc":"sys"},"ab":9,"home":null,"someKey":"someValue";'
]
| parse input with prefix ";json={" json:dynamic '},' suffix
| mv-apply x = extract_all(@'(w+)=(w+)', prefix) on (
project p = pack(tostring(x[0]), x[1])
| summarize b1 = make_bag(p)
)
| mv-apply y = extract_all(@'"(w+)":"?(w+)"?', suffix) on (
project p = pack(tostring(y[0]), y[1])
| summarize b2 = make_bag(p)
)
| project json = strcat("{", json, "}"), b = bag_merge(b1, b2)
| evaluate bag_unpack(b)