【问题标题】:Parse `key1=value1 key2=value2` in Kusto在 Kusto 中解析 `key1=value1 key2=value2`
【发布时间】:2020-12-30 10:38:05
【问题描述】:

我在 Azure Kubernetes 集群中运行 Cilium,并希望在 Azure Log Analytics 中解析 cilium 日志消息。日志消息的格式类似于

key1=value1 key2=value2 key3="if the value contains spaces, it's wrapped in quotation marks"

例如:

level=info msg="Identity of endpoint changed" containerID=a4566a3e5f datapathPolicyRevision=0 

我在文档中找不到匹配的 parse_xxx 方法(例如 https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/parsecsvfunction )。是否有可能编写自定义函数来解析这种日志消息?

【问题讨论】:

    标签: azure azure-log-analytics azure-data-explorer cilium


    【解决方案1】:

    解析不是一种有趣的格式...但这应该可以:

    let LogLine = "level=info msg=\"Identity of endpoint changed\" containerID=a4566a3e5f datapathPolicyRevision=0";
    print LogLine
    | extend KeyValuePairs = array_concat(
        extract_all("([a-zA-Z_]+)=([a-zA-Z0-9_]+)", LogLine),
        extract_all("([a-zA-Z_]+)=\"([a-zA-Z0-9_ ]+)\"", LogLine))
    | mv-apply KeyValuePairs on 
    (
        extend p = pack(tostring(KeyValuePairs[0]), tostring(KeyValuePairs[1]))
        | summarize dict=make_bag(p)
    )
    

    输出将是:

    | print_0            | dict                                    |
    |--------------------|-----------------------------------------|
    | level=info msg=... | {                                       |
    |                    |   "level": "info",                      |
    |                    |   "containerID": "a4566a3e5f",          |
    |                    |   "datapathPolicyRevision": "0",        |
    |                    |   "msg": "Identity of endpoint changed" |
    |                    | }                                       |
    |--------------------|-----------------------------------------|
    

    【讨论】:

    • 太好了,这对入门有很大帮助。我不得不进一步更改正则表达式,因为真实日志包含示例中不存在的一些怪癖。我将在最后得到的查询中添加另一个答案。
    【解决方案2】:

    在 Slavik N 的帮助下,我提出了一个适合我的查询:

    let containerIds = KubePodInventory
    | where Namespace startswith "cilium"
    | distinct ContainerID
    | summarize make_set(ContainerID);
    ContainerLog
    | where ContainerID in (containerIds)
    | extend KeyValuePairs = array_concat(
        extract_all("([a-zA-Z0-9_-]+)=([^ \"]+)", LogEntry),
        extract_all("([a-zA-Z0-9_]+)=\"([^\"]+)\"", LogEntry))
    | mv-apply KeyValuePairs on 
    (
        extend p = pack(tostring(KeyValuePairs[0]), tostring(KeyValuePairs[1]))
        | summarize JSONKeyValuePairs=parse_json(make_bag(p))
    )
    | project TimeGenerated, Level=JSONKeyValuePairs.level, Message=JSONKeyValuePairs.msg, PodName=JSONKeyValuePairs.k8sPodName, Reason=JSONKeyValuePairs.reason, Controller=JSONKeyValuePairs.controller, ContainerID=JSONKeyValuePairs.containerID, Labels=JSONKeyValuePairs.labels, Raw=LogEntry
    

    【讨论】:

      猜你喜欢
      • 2023-04-05
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2015-11-22
      • 1970-01-01
      • 2019-01-18
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多