我正在Azure Kubernetes集群中运行Cilium,并希望在Azure日志分析中解析Cilium日志消息。日志消息的格式类似
key1=value1 key2=value2 key3="if the value contains spaces, it's wrapped in quotation marks"
例如:
level=info msg="Identity of endpoint changed" containerID=a4566a3e5f datapathPolicyRevision=0
我在文档中找不到匹配的parse_xxx方法(例如。https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/parsecsvfunction(。是否有可能编写一个自定义函数来解析这种日志消息?
不是一个有趣的解析格式。。。但这应该有效:
let LogLine = "level=info msg="Identity of endpoint changed" containerID=a4566a3e5f datapathPolicyRevision=0";
print LogLine
| extend KeyValuePairs = array_concat(
extract_all("([a-zA-Z_]+)=([a-zA-Z0-9_]+)", LogLine),
extract_all("([a-zA-Z_]+)="([a-zA-Z0-9_ ]+)"", LogLine))
| mv-apply KeyValuePairs on
(
extend p = pack(tostring(KeyValuePairs[0]), tostring(KeyValuePairs[1]))
| summarize dict=make_bag(p)
)
输出为:
| print_0 | dict |
|--------------------|-----------------------------------------|
| level=info msg=... | { |
| | "level": "info", |
| | "containerID": "a4566a3e5f", |
| | "datapathPolicyRevision": "0", |
| | "msg": "Identity of endpoint changed" |
| | } |
|--------------------|-----------------------------------------|
在Slavik N的帮助下,我得到了一个对我有用的查询:
let containerIds = KubePodInventory
| where Namespace startswith "cilium"
| distinct ContainerID
| summarize make_set(ContainerID);
ContainerLog
| where ContainerID in (containerIds)
| extend KeyValuePairs = array_concat(
extract_all("([a-zA-Z0-9_-]+)=([^ "]+)", LogEntry),
extract_all("([a-zA-Z0-9_]+)="([^"]+)"", LogEntry))
| mv-apply KeyValuePairs on
(
extend p = pack(tostring(KeyValuePairs[0]), tostring(KeyValuePairs[1]))
| summarize JSONKeyValuePairs=parse_json(make_bag(p))
)
| project TimeGenerated, Level=JSONKeyValuePairs.level, Message=JSONKeyValuePairs.msg, PodName=JSONKeyValuePairs.k8sPodName, Reason=JSONKeyValuePairs.reason, Controller=JSONKeyValuePairs.controller, ContainerID=JSONKeyValuePairs.containerID, Labels=JSONKeyValuePairs.labels, Raw=LogEntry