OMS和Azure Log Analytics中的查找表
[英]Lookup tables in OMS and Azure Log Analytics
问题描述
In Azure Log Analytics, is there anything akin to Splunk's lookup tables?( https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Lookup ) 
在Azure Log Analytics中,是否有类似于Splunk的查找表的任何内容?( https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Lookup )
Basically, a way to map values to other values ie: 基本上,一种将值映射到其他值的方法,即:
> value1 => value11
> value2 => value22
1 个解决方案
解决方案1
0 2018-04-02 19:50:19
Realizing this is now 4 months old, but I ran into similar issues and can maybe help someone going forward. 意识到这已经有四个月了,但是我遇到了类似的问题,也许可以帮助某人前进。 You have to define a datatable and then join that to function as a lookup table. 您必须定义一个数据表,然后将其联接以用作查找表。 Sample from documentation: 文档样本:
let DimTable = datatable(EventID:int, eventName:string)
[
4658, "The handle to an object was closed",
4656, "A handle to an object was requested",
4690, "An attempt was made to duplicate a handle to an object",
4663, "An attempt was made to access an object",
5061, "Cryptographic operation",
5058, "Key file operation"
];
SecurityEvent
| join kind = inner
DimTable on EventID
| summarize count() by eventName
Which then presents like this output 然后出现这样的输出
Check out the lookup tables section of this documentation: https://docs.loganalytics.io/docs/Learn/Tutorials/Joins---cross-analysis . 请查看本文档的查找表部分: https : //docs.loganalytics.io/docs/Learn/Tutorials/Joins---cross-analysis 。 I ended up doing most of this before I found this reference :/. 在找到此参考文献之前,我最终完成了大部分工作:/。
You can also make the datatable and then save that search and join the saved search instead of needing to define the table in every query. 您还可以创建数据表,然后保存该搜索并加入已保存的搜索,而无需在每个查询中都定义表。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.