Data Explorer KQL 過濾和映射列表中的 JSON(動態類型)
[英]Data Explorer KQL filtering and mapping JSONs in a list (dynamic type)
問題描述
我想過濾和轉換數組中的 JSON。
我有下表:
let fooTable = datatable(str: string, record: dynamic) [
"name1", dynamic([{"q": "foo", "type": "B1"}]),
"name2", dynamic([{"q": "bar", "type": "C1"}, {"q": "bar2", "type": "B1"}]),
"name3", dynamic([{"q": "foo", "type": "C1"}, {"q": "foo2", "type": "C1"}]),
"name4", dynamic([{"q": "foo", "type": "B1"}]),
"name5", dynamic([{"q": "b42", "type": "B1"}]),
"name6", dynamic([{"q": "f42", "type": "C1"}]),
"name7", dynamic([{"q": "foo", "type": "B1"}])
];
我想按“類型”字段過濾 JSON,並進行較小的轉換。 所以假設我想用“類型”“C1”進行過濾,所以我的 output 將是:
[
"name2", dynamic([{"q": "bar", "type": "C1", "qtype": "barC1"}, {"q": "bar2", "type": "B1", "qtype": "bar2B1"}]),
"name3", dynamic([{"q": "foo", "type": "C1", "qtype": "fooC1"}, {"q": "foo2", "type": "C1", "qtype": "foo2C1"}]),
"name6", dynamic([{"q": "f42", "type": "C1", "qtype": "f42C1"}
]
我嘗試了以下內容:
fooTable
| mv-apply v=record on (
where v.type == "C1"
| extend r2 = pack(
"q", v.q,
"type", v.type,
"qtype", strcat(v.q, v.type))
| summarize record = make_list(r2)
)
| project str, record
但如果類型不是“C1”,它只會在行中返回一個空數組:
name1 []
name2 [{"q":"bar","type":"C1","qtype":"barC1"}]
name3 [{"q":"foo","type":"C1","qtype":"fooC1"},{"q":"foo2","type":"C1","qtype":"foo2C1"}]
name4 []
name5 []
name6 [{"q":"f42","type":"C1","qtype":"f42C1"}]
name7 []
我想完全過濾這些行(沒有空行)。
1 個解決方案
解決方案1
0 2022-01-02 18:48:06
這行得通嗎?
let fooTable = datatable(str: string, record: dynamic) [
"name1", dynamic([{"q": "foo", "type": "B1"}]),
"name2", dynamic([{"q": "bar", "type": "C1"}, {"q": "bar2", "type": "B1"}]),
"name3", dynamic([{"q": "foo", "type": "C1"}, {"q": "foo2", "type": "C1"}]),
"name4", dynamic([{"q": "foo", "type": "B1"}]),
"name5", dynamic([{"q": "b42", "type": "B1"}]),
"name6", dynamic([{"q": "f42", "type": "C1"}]),
"name7", dynamic([{"q": "foo", "type": "B1"}])
];
fooTable
| mv-apply record on (
where record.type=="C1"
)
| summarize make_list(record) by str
| 字符串 | 列表記錄 |
|---|---|
| 名稱2 | [ { “q”:“酒吧”, “類型”:“C1” } ] |
| 名稱3 | [ { “q”:“富”, “類型”:“C1” }, { “q”:“foo2”, “類型”:“C1” } ] |
| 名稱6 | [ { “q”:“f42”, “類型”:“C1” } ] |
解決方案2
0 2022-01-02 19:26:19
你可以試試這個:
- 首先過濾其任何成員具有
type=C1的記錄 - 然后使用
qtypebag_merge()function: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/bag-merge-function擴展記錄
let fooTable = datatable(str: string, record: dynamic) [
"name1", dynamic([{"q": "foo", "type": "B1"}]),
"name2", dynamic([{"q": "bar", "type": "C1"}, {"q": "bar2", "type": "B1"}]),
"name3", dynamic([{"q": "foo", "type": "C1"}, {"q": "foo2", "type": "C1"}]),
"name4", dynamic([{"q": "foo", "type": "B1"}]),
"name5", dynamic([{"q": "b42", "type": "B1"}]),
"name6", dynamic([{"q": "f42", "type": "C1"}]),
"name7", dynamic([{"q": "foo", "type": "B1"}])
];
fooTable
| where tostring(record) has '"type":"C1"'
| mv-apply r = record on (
extend record = bag_merge(r, pack("qtype", strcat(r.q, r.type)))
| summarize record = make_list(record)
)
解決方案3
0 2022-01-02 19:26:40
這行得通嗎?
let fooTable = datatable(str: string, record: dynamic) [
"name1", dynamic([{"q": "foo", "type": "B1"}]),
"name2", dynamic([{"q": "bar", "type": "C1"}, {"q": "bar2", "type": "B1"}]),
"name3", dynamic([{"q": "foo", "type": "C1"}, {"q": "foo2", "type": "C1"}]),
"name4", dynamic([{"q": "foo", "type": "B1"}]),
"name5", dynamic([{"q": "b42", "type": "B1"}]),
"name6", dynamic([{"q": "f42", "type": "C1"}]),
"name7", dynamic([{"q": "foo", "type": "B1"}])
];
fooTable
| mv-apply record on (
where record.type=="C1"
)
| summarize make_list(record) by str
另一種選擇是:
let fooTable = datatable(str: string, record: dynamic) [
"name1", dynamic([{"q": "foo", "type": "B1"}]),
"name2", dynamic([{"q": "bar", "type": "C1"}, {"q": "bar2", "type": "B1"}]),
"name3", dynamic([{"q": "foo", "type": "C1"}, {"q": "foo2", "type": "C1"}]),
"name4", dynamic([{"q": "foo", "type": "B1"}]),
"name5", dynamic([{"q": "b42", "type": "B1"}]),
"name6", dynamic([{"q": "f42", "type": "C1"}]),
"name7", dynamic([{"q": "foo", "type": "B1"}])
];
fooTable
| mv-apply record on (
where record.type=="C1"
| summarize make_list(record)
| where array_length( list_record) > 0
)
| 字符串 | 列表記錄 |
|---|---|
| 名稱2 | [ { “q”:“酒吧”, “類型”:“C1” } ] |
| 名稱3 | [ { “q”:“富”, “類型”:“C1” }, { “q”:“foo2”, “類型”:“C1” } ] |
| 名稱6 | [ { “q”:“f42”, “類型”:“C1” } ] |
查詢數據如何使用 kusto(Azure 數據資源管理器)KQL 中的偏移量進行分頁
[英]How query data use offset in kusto (Azure Data Explorer) KQL for paging
是否可以使用 Azure 數據資源管理器修改攝取映射中的數據?
[英]Is it possible to modify data in the ingestion mapping using Azure Data Explorer?
有沒有辦法對 KQL 中的列表元素執行字符串運算符?
[英]Is there a way to perform string operators on elements of a list in KQL?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.