如何解决在 Kusto 中解析 `key1=value1 key2=value2`
我在 Azure Kubernetes 集群中运行 Cilium,并且想要解析 Azure Log Analytics 中的 cilium 日志消息。日志消息的格式类似于
key1=value1 key2=value2 key3="if the value contains spaces,it's wrapped in quotation marks"
例如:
level=info msg="Identity of endpoint changed" containerID=a4566a3e5f datapathPolicyRevision=0
我在文档中找不到匹配的 parse_xxx 方法(例如 https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/parsecsvfunction )。是否有可能编写自定义函数来解析此类日志消息?
解决方法
不是一个有趣的解析格式......但这应该有效:
let LogLine = "level=info msg=\"Identity of endpoint changed\" containerID=a4566a3e5f datapathPolicyRevision=0";
print LogLine
| extend KeyValuePairs = array_concat(
extract_all("([a-zA-Z_]+)=([a-zA-Z0-9_]+)",LogLine),extract_all("([a-zA-Z_]+)=\"([a-zA-Z0-9_ ]+)\"",LogLine))
| mv-apply KeyValuePairs on
(
extend p = pack(tostring(KeyValuePairs[0]),tostring(KeyValuePairs[1]))
| summarize dict=make_bag(p)
)
输出将是:
| print_0 | dict |
|--------------------|-----------------------------------------|
| level=info msg=... | { |
| | "level": "info",|
| | "containerID": "a4566a3e5f",|
| | "datapathPolicyRevision": "0",|
| | "msg": "Identity of endpoint changed" |
| | } |
|--------------------|-----------------------------------------|
在 Slavik N 的帮助下,我提出了一个对我有用的查询:
let containerIds = KubePodInventory
| where Namespace startswith "cilium"
| distinct ContainerID
| summarize make_set(ContainerID);
ContainerLog
| where ContainerID in (containerIds)
| extend KeyValuePairs = array_concat(
extract_all("([a-zA-Z0-9_-]+)=([^ \"]+)",LogEntry),extract_all("([a-zA-Z0-9_]+)=\"([^\"]+)\"",LogEntry))
| mv-apply KeyValuePairs on
(
extend p = pack(tostring(KeyValuePairs[0]),tostring(KeyValuePairs[1]))
| summarize JSONKeyValuePairs=parse_json(make_bag(p))
)
| project TimeGenerated,Level=JSONKeyValuePairs.level,Message=JSONKeyValuePairs.msg,PodName=JSONKeyValuePairs.k8sPodName,Reason=JSONKeyValuePairs.reason,Controller=JSONKeyValuePairs.controller,ContainerID=JSONKeyValuePairs.containerID,Labels=JSONKeyValuePairs.labels,Raw=LogEntry
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。