如何匹配 Azure Log Analytics 查询中动态数组中特定列的部分值?
How to match part of a specific column's values from a dynamic array in Azure Log Analytics query?
我们目前有两个查询来完成这项特定工作,但我正在尝试将其合并为一个查询。
第一次查询 - 使用获取 SMTP 日志的消息 ID:
Syslog
| where Timegenerated > ago(1d)
| where Computer contains "smtpserver"
| where SyslogMessage contains "to=<jdoe@mycompany.com>"
| project EventTime, Computer, SyslogMessage
结果如下:
smtpserver01 | 2019-08-13T13:00:14.000 | xXXXX123456: to=<jdoe@mycompany.com>,<jsmith@mycompany.com>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=658974, relay=pp1235.fortimail.com., dsn=4.0.0, stat=Deferred
smtpserver02 | 2019-08-13T22:23:52.000 | xXXXX123456: to=<jdoe@mycompany.com>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=654715, relay=pp1235.fortimail.com. [1xx.2xx.1xx.1xx], dsn=2.0.0, stat=Sent (xXXXX123456-xXXXX123456 Message accepted for delivery)
第二个查询 - 获取该消息 ID 的交易
从那里,我获取 MessageID (xXXXX123456) 并将其放入另一个类似的查询中以查看该特定 MessageID 的事务。
let msgID = "xXXXX123456";
Syslog
| where Computer contains "smtpserver"
| where SyslogMessage contains msgID
| project EventTime, Computer, HostIP, SyslogMessage
一个消息 ID 大约显示五到六行。第一行是主题信息,第二行是发件人信息等。
因此,我试图将这两个合并为一个查询,这是我迄今为止尝试过的两种方法:
//Create a dynamic array of unique message IDs from first query
let msgIDs = Syslog
| where TimeGenerated > ago(1d)
| where Computer contains "smtpserver"
| where SyslogMessage contains "to=<jdoe@mycompany.com>"
| project msgId=substring(SyslogMessage,0,14) //first 13 characters of SyslogMessage is the message ID
| distinct msgId;
Syslog
| where SyslogMessage contains (msgIDs)
//| where SyslogMessage has (msgIDs)
| project EventTime, Computer, HostIP, SyslogMessage
contains 或 has 不起作用,因为我试图将一个列表与技术上另一个列表进行匹配。第二种选择是使用 Join() 运算符,但由于子字符串拆分,我不知道我在用它做什么。这是我目前所拥有的:
Syslog
| where TimeGenerated > ago(1d)
| where Computer contains "smtpserver"
| project format_datetime(TimeGenerated, 'MM-dd-yyyy hh:mm:ss tt'), msgID=substring(SyslogMessage,0,14)
| join kind= inner (
Syslog
| where Computer contains "smtpserver"
| where SyslogMessage contains "to=<jdoe@mycompany.com>"
// Match SyslogMessage here with msgID from above but has or contains doesn't work. How to do that?
| project msgID=substring(SyslogMessage,0,14), SyslogMessage
) on msgID
请指教!
您可以使用您的第一个解决方案。如果返回的 msgIDs 是列表,请使用 in 运算符而不是 contains/has 运算符。
改变你的第一个解决方案:
//Create a dynamic array of unique message IDs from first query
let msgIDs = Syslog
| where TimeGenerated > ago(1d)
| where Computer contains "smtpserver"
| where SyslogMessage contains "to=<jdoe@mycompany.com>"
| project msgId=substring(SyslogMessage,0,14) //first 13 characters of SyslogMessage is the message ID
| distinct msgId;
Syslog
//Here, use the in operator
| where SyslogMessage in (msgIDs)
| project EventTime, Computer, HostIP, SyslogMessage
我们目前有两个查询来完成这项特定工作,但我正在尝试将其合并为一个查询。
第一次查询 - 使用获取 SMTP 日志的消息 ID:
Syslog
| where Timegenerated > ago(1d)
| where Computer contains "smtpserver"
| where SyslogMessage contains "to=<jdoe@mycompany.com>"
| project EventTime, Computer, SyslogMessage
结果如下:
smtpserver01 | 2019-08-13T13:00:14.000 | xXXXX123456: to=<jdoe@mycompany.com>,<jsmith@mycompany.com>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=658974, relay=pp1235.fortimail.com., dsn=4.0.0, stat=Deferred
smtpserver02 | 2019-08-13T22:23:52.000 | xXXXX123456: to=<jdoe@mycompany.com>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=654715, relay=pp1235.fortimail.com. [1xx.2xx.1xx.1xx], dsn=2.0.0, stat=Sent (xXXXX123456-xXXXX123456 Message accepted for delivery)
第二个查询 - 获取该消息 ID 的交易
从那里,我获取 MessageID (xXXXX123456) 并将其放入另一个类似的查询中以查看该特定 MessageID 的事务。
let msgID = "xXXXX123456";
Syslog
| where Computer contains "smtpserver"
| where SyslogMessage contains msgID
| project EventTime, Computer, HostIP, SyslogMessage
一个消息 ID 大约显示五到六行。第一行是主题信息,第二行是发件人信息等。
因此,我试图将这两个合并为一个查询,这是我迄今为止尝试过的两种方法:
//Create a dynamic array of unique message IDs from first query
let msgIDs = Syslog
| where TimeGenerated > ago(1d)
| where Computer contains "smtpserver"
| where SyslogMessage contains "to=<jdoe@mycompany.com>"
| project msgId=substring(SyslogMessage,0,14) //first 13 characters of SyslogMessage is the message ID
| distinct msgId;
Syslog
| where SyslogMessage contains (msgIDs)
//| where SyslogMessage has (msgIDs)
| project EventTime, Computer, HostIP, SyslogMessage
contains 或 has 不起作用,因为我试图将一个列表与技术上另一个列表进行匹配。第二种选择是使用 Join() 运算符,但由于子字符串拆分,我不知道我在用它做什么。这是我目前所拥有的:
Syslog
| where TimeGenerated > ago(1d)
| where Computer contains "smtpserver"
| project format_datetime(TimeGenerated, 'MM-dd-yyyy hh:mm:ss tt'), msgID=substring(SyslogMessage,0,14)
| join kind= inner (
Syslog
| where Computer contains "smtpserver"
| where SyslogMessage contains "to=<jdoe@mycompany.com>"
// Match SyslogMessage here with msgID from above but has or contains doesn't work. How to do that?
| project msgID=substring(SyslogMessage,0,14), SyslogMessage
) on msgID
请指教!
您可以使用您的第一个解决方案。如果返回的 msgIDs 是列表,请使用 in 运算符而不是 contains/has 运算符。
改变你的第一个解决方案:
//Create a dynamic array of unique message IDs from first query
let msgIDs = Syslog
| where TimeGenerated > ago(1d)
| where Computer contains "smtpserver"
| where SyslogMessage contains "to=<jdoe@mycompany.com>"
| project msgId=substring(SyslogMessage,0,14) //first 13 characters of SyslogMessage is the message ID
| distinct msgId;
Syslog
//Here, use the in operator
| where SyslogMessage in (msgIDs)
| project EventTime, Computer, HostIP, SyslogMessage