堆栈内存溢出
  简体   繁体   English

如何在第二个查询中使用第一个 KQL 查询的结果来过滤结果?

[英]How to use result of first KQL query in the second query to filter results?

 原文  2022-12-29 07:31:29       azure/ azure-data-explorer/ kql

问题描述

I have a first KQL query that returns a list of domain names, and then I want to use these to filter another KQL query.我有一个返回域名列表的第一个 KQL 查询,然后我想使用这些查询来过滤另一个 KQL 查询。 I just can't figure out the syntax to do it.我只是想不出这样做的语法。 Is there a way to use the contains() operator with a for loop/iteration in KQL?有没有办法在 KQL 中将 contains() 运算符与 for 循环/迭代一起使用?

KQL - Query 1 KQL - 查询 1

    let hostnames = () {
    AllDomains 
    | where hostname !contains "default.com" and hostname != ""
    | distinct hostname
   }

KQL - Query 2 KQL - 查询 2

let start_date = ago(10m);
let end_date = now();
LogEvents 
| where env_time between (start_date .. end_date)
| where headers  contains "X-Forwarded-For"
| where queryString contains (hostnames()) //This is what is needed to filter on all the domains from first query.
| project queryString

2 个解决方案

解决方案1
 0  2022-12-29 08:14:47

It would be better if you'll provide a sample of how your data looks and what you are trying to accomplish, but I think that instead of contains you'd want to use has_any如果您能提供一个样本,说明您的数据看起来如何以及您想要完成什么,那会更好,但我认为您想要使用has_any而不是contains

解决方案2
 0  2022-12-29 15:47:32

this could work:这可以工作:

let hostnames =
    AllDomains 
    | where isnotempty(hostname) and hostname !has "default.com"
    | distinct hostname
;
let start_date = ago(10m);
let end_date = now();
LogEvents 
| where env_time between (start_date .. end_date)
| where headers contains "X-Forwarded-For"
| where queryString has_any (hostnames)
| project queryString

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何处理KQL查询中的空结果? - how to handle empty results in KQL query? 如何使用 AZURE KQL 编写查询以获取自定义 output 作为结果? - How to write a query to get the custom output as a result using AZURE KQL? 是否可以在 Azure 警报中显示 KQL 查询结果? - Is it possible to show KQL query results in an Azure alert? KQL 查询以根据条件过滤值 - KQL Query to filter values based on condition KQL - KQL 查询的逻辑处理 - KQL - logical processing of an KQL query 如何使用 Azure Kusto 查询语言 (KQL) 查询 Jmeter Graph,例如 Active Threads Over times - How to use Azure Kusto Query Language (KQL) to query Jmeter Graph such as Active Threads Over times 查询数据如何使用 kusto(Azure 数据资源管理器)KQL 中的偏移量进行分页 - How query data use offset in kusto (Azure Data Explorer) KQL for paging KQL 查询中的多个日期 - Multiple dates within KQL query KQL 查询中忽略白名单 - Whitelist is being ignored in KQL Query 如何在 LogicApps 中使用 KQL 查询构建嵌套的 HTML 表? - How to build up a nested HTML Table using a KQL query in LogicApps?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM