如何解决如何基于kusto查询KQL语言中的命名键从Json中获取值
我在日志分析工作区中有一个 json 字段,其结构如下所示
{
"AdditionalDetails": [
{
"value": "SomeValue","key": "SomeKey"
},{
"value": "SomeValue",{
"value": "somevalue","key": "somekey"
},{
"value": "SomeTicketNumber","key": "TicketNumber"
},{
"value": "1/1/0001 6:00:00 AM","key": "ExpirationTime"
}
]
} 我正在使用 Kusto 查询根据键值票证编号过滤此数据。删除所有其他列后,我就找到了值中捕获的实际票号。
我尝试过 mvexpand、mv-expand,我得到了类似下面的结果。
print d = dynamic ({
"AdditionalDetails": [
{
"value": "SomeValue","key": "SomeKey"
},{
"value": "SomeValue",{
"value": "somevalue","key": "somekey"
},{
"value": "SomeTicketNumber","key": "TicketNumber"
},{
"value": "1/1/0001 6:00:00 AM","key": "ExpirationTime"
}
]
})
| project details = d.['AdditionalDetails']
| mvexpand details
| project ticketnumber = details
{"value":"SomeValue","key":"SomeKey"}
{"value":"SomeValue","key":"SomeKey"}
{"value":"somevalue","key":"somekey"}
{"value":"SomeTicketNumber","key":"TicketNumber"}
{"value":"1/1/0001 6:00:00 AM","key":"ExpirationTime"}
要求仅获取键名称为票号的行,一旦我有了该行,我应该能够将票号投影为列,有什么建议吗?
注意:我能够根据索引获取票证的价值,但 Json 结构是动态的,因此我无法对索引进行硬编码。
解决方法
你可以使用mv-apply:https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/mv-applyoperator
datatable(d:dynamic)
[
dynamic({
"AdditionalDetails":[
{"value":"SomeValue","key":"SomeKey"},{"value":"SomeValue",{"value":"somevalue","key":"somekey"},{"value":"SomeTicketNumber","key":"TicketNumber"},{"value":"2/2/0002 7:00:00 AM","key":"ExpirationTime"}
]
}),dynamic({
"AdditionalDetails":[
{"value":"AnotherTicketNumber",{"value":"1/1/0001 6:00:00 AM","key":"ExpirationTime"},"key":"somekey"}
]
}),]
| mv-apply ad = d.AdditionalDetails on (
where ad.key == "TicketNumber"
| project value = tostring(ad.value)
)
| project value
大概是这样的?
print d = dynamic ({
"AdditionalDetails": [
{
"value": "SomeValue","key": "SomeKey"
},{
"value": "SomeValue",{
"value": "somevalue","key": "somekey"
},{
"value": "SomeTicketNumber","key": "TicketNumber"
},{
"value": "1/1/0001 6:00:00 AM","key": "ExpirationTime"
}
]
})
| project d.AdditionalDetails
| mv-expand d_AdditionalDetails
| extend key = d_AdditionalDetails.key
| where key == "TicketNumber"
| project value = tostring(d_AdditionalDetails.value)
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。