如何根据 kusto 查询(KQL)语言中的命名键从 Json 中获取值
How to fetch the value from the Json based on Named key in kusto query(KQL) language
我在日志分析工作区中有一个 json 字段,结构如下所示
{
"AdditionalDetails": [
{
"value": "SomeValue",
"key": "SomeKey"
},
{
"value": "SomeValue",
"key": "SomeKey"
},
{
"value": "somevalue",
"key": "somekey"
},
{
"value": "SomeTicketNumber",
"key": "TicketNumber"
},
{
"value": "1/1/0001 6:00:00 AM",
"key": "ExpirationTime"
}
]
}
我正在使用 Kusto 查询根据键值票号筛选此数据。删除所有其他列后,我找到了值中捕获的实际票号。
我已经尝试了 mvexpand、mv-expand,我得到了类似下面的结果。
print d = dynamic ({
"AdditionalDetails": [
{
"value": "SomeValue",
"key": "SomeKey"
},
{
"value": "SomeValue",
"key": "SomeKey"
},
{
"value": "somevalue",
"key": "somekey"
},
{
"value": "SomeTicketNumber",
"key": "TicketNumber"
},
{
"value": "1/1/0001 6:00:00 AM",
"key": "ExpirationTime"
}
]
})
| project details = d.['AdditionalDetails']
| mvexpand details
| project ticketnumber = details
输出
{"value":"SomeValue","key":"SomeKey"}
{"value":"SomeValue","key":"SomeKey"}
{"value":"somevalue","key":"somekey"}
{"value":"SomeTicketNumber","key":"TicketNumber"}
{"value":"1/1/0001 6:00:00 AM","key":"ExpirationTime"}
要求只获取键名为 ticketnumber 的行,一旦我有了该行,我应该能够将票号投影为列,有什么建议吗?
注意:我能够根据索引获取票证的价值,但 Json 结构是动态的,因此我无法对索引进行硬编码。
也许是这样的?
print d = dynamic ({
"AdditionalDetails": [
{
"value": "SomeValue",
"key": "SomeKey"
},
{
"value": "SomeValue",
"key": "SomeKey"
},
{
"value": "somevalue",
"key": "somekey"
},
{
"value": "SomeTicketNumber",
"key": "TicketNumber"
},
{
"value": "1/1/0001 6:00:00 AM",
"key": "ExpirationTime"
}
]
})
| project d.AdditionalDetails
| mv-expand d_AdditionalDetails
| extend key = d_AdditionalDetails.key
| where key == "TicketNumber"
| project value = tostring(d_AdditionalDetails.value)
您可以使用 mv-apply:https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/mv-applyoperator
datatable(d:dynamic)
[
dynamic({
"AdditionalDetails":[
{"value":"SomeValue","key":"SomeKey"},
{"value":"SomeValue","key":"SomeKey"},
{"value":"somevalue","key":"somekey"},
{"value":"SomeTicketNumber","key":"TicketNumber"},
{"value":"2/2/0002 7:00:00 AM","key":"ExpirationTime"}
]
}),
dynamic({
"AdditionalDetails":[
{"value":"AnotherTicketNumber","key":"TicketNumber"},
{"value":"SomeValue","key":"SomeKey"},
{"value":"1/1/0001 6:00:00 AM","key":"ExpirationTime"},
{"value":"SomeValue","key":"SomeKey"},
{"value":"somevalue","key":"somekey"}
]
}),
]
| mv-apply ad = d.AdditionalDetails on (
where ad.key == "TicketNumber"
| project value = tostring(ad.value)
)
| project value
我在日志分析工作区中有一个 json 字段,结构如下所示
{
"AdditionalDetails": [
{
"value": "SomeValue",
"key": "SomeKey"
},
{
"value": "SomeValue",
"key": "SomeKey"
},
{
"value": "somevalue",
"key": "somekey"
},
{
"value": "SomeTicketNumber",
"key": "TicketNumber"
},
{
"value": "1/1/0001 6:00:00 AM",
"key": "ExpirationTime"
}
]
} 我正在使用 Kusto 查询根据键值票号筛选此数据。删除所有其他列后,我找到了值中捕获的实际票号。
我已经尝试了 mvexpand、mv-expand,我得到了类似下面的结果。
print d = dynamic ({
"AdditionalDetails": [
{
"value": "SomeValue",
"key": "SomeKey"
},
{
"value": "SomeValue",
"key": "SomeKey"
},
{
"value": "somevalue",
"key": "somekey"
},
{
"value": "SomeTicketNumber",
"key": "TicketNumber"
},
{
"value": "1/1/0001 6:00:00 AM",
"key": "ExpirationTime"
}
]
})
| project details = d.['AdditionalDetails']
| mvexpand details
| project ticketnumber = details
输出
{"value":"SomeValue","key":"SomeKey"}
{"value":"SomeValue","key":"SomeKey"}
{"value":"somevalue","key":"somekey"}
{"value":"SomeTicketNumber","key":"TicketNumber"}
{"value":"1/1/0001 6:00:00 AM","key":"ExpirationTime"}
要求只获取键名为 ticketnumber 的行,一旦我有了该行,我应该能够将票号投影为列,有什么建议吗?
注意:我能够根据索引获取票证的价值,但 Json 结构是动态的,因此我无法对索引进行硬编码。
也许是这样的?
print d = dynamic ({
"AdditionalDetails": [
{
"value": "SomeValue",
"key": "SomeKey"
},
{
"value": "SomeValue",
"key": "SomeKey"
},
{
"value": "somevalue",
"key": "somekey"
},
{
"value": "SomeTicketNumber",
"key": "TicketNumber"
},
{
"value": "1/1/0001 6:00:00 AM",
"key": "ExpirationTime"
}
]
})
| project d.AdditionalDetails
| mv-expand d_AdditionalDetails
| extend key = d_AdditionalDetails.key
| where key == "TicketNumber"
| project value = tostring(d_AdditionalDetails.value)
您可以使用 mv-apply:https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/mv-applyoperator
datatable(d:dynamic)
[
dynamic({
"AdditionalDetails":[
{"value":"SomeValue","key":"SomeKey"},
{"value":"SomeValue","key":"SomeKey"},
{"value":"somevalue","key":"somekey"},
{"value":"SomeTicketNumber","key":"TicketNumber"},
{"value":"2/2/0002 7:00:00 AM","key":"ExpirationTime"}
]
}),
dynamic({
"AdditionalDetails":[
{"value":"AnotherTicketNumber","key":"TicketNumber"},
{"value":"SomeValue","key":"SomeKey"},
{"value":"1/1/0001 6:00:00 AM","key":"ExpirationTime"},
{"value":"SomeValue","key":"SomeKey"},
{"value":"somevalue","key":"somekey"}
]
}),
]
| mv-apply ad = d.AdditionalDetails on (
where ad.key == "TicketNumber"
| project value = tostring(ad.value)
)
| project value