Azure Log Analytics 解析字符串

Question

我正在尝试从 Azure 日志中解析一个字符串。这是来自intunedevice 表，不幸的是CreateDate 列是字符串而不是日期格式。所以我想获取这个字符串值并进行一些转换，以便将其与now() 进行比较。 但我的问题是我无法使用正则表达式获取数据。

仅供参考：CreatedDate 字符串值的格式如下：

2021-05-17 07:33:41.0000000 

我只想在下面的测试结果中获取日期（例如，2021-05-17）。

我正在尝试以下方法：

IntuneDevices | where TimeGenerated > ago(1d) | parse kind=regex  CreatedDate with "(\\d\\d\\d\\d[-]\\d\\d[-]\\d\\d)*" test  | project TimeGenerated, CreatedDate, now(), test

结果：

TimeGenerated [UTC]
2021-08-30T05:08:42.8809Z
CreatedDate
2021-05-17 07:33:41.0000000
Column1 [UTC]
2021-08-30T12:40:53.296239Z
test
07:33:41.0000000

所以解析有效，但它带走了值......

IntuneDevices | where TimeGenerated > ago(1d) | parse kind=regex CreatedDate with * '(\\d{4}-\\d{2}-\\d{2})' test | project TimeGenerated, CreatedDate, now(), test

结果：

TimeGenerated [UTC]
2021-08-30T05:08:42.8809Z
CreatedDate
2021-05-17 07:33:41.0000000
Column1 [UTC]
2021-08-30T12:40:53.296239Z
test
07:33:41.0000000

所以我推它有点不同，但正如你在下面看到的，当我解析日期时消息是空的......

print m = '18/03/2020 07:08:23 1164 PACKET 000000C164RF56B0 UDP Rcv 10.128.151.34 076e Q [2021-05-17 07:33:41.0000000] A (10)indelpus03(6)kworld(4)kay(3)com(0)' | extend Message = extract(@'\[(\d{4}-\d{2}-\d{2})\]', 1, m)

留言：

/empty/

但是当仅使用文本示例时，例如 aaaaa，它可以工作...

print m = '18/03/2020 07:08:23 1164 PACKET 000000C164RF56B0 UDP Rcv 10.128.151.34 076e Q [aaaaa] A (10)indelpus03(6)kworld(4)kay(3)com(0)' | extend Message = extract(@'\[(.*)\]', 1, m)

留言：

aaaaa

Answer 1

您可以尝试使用parse operator，这将帮助您获取正则表达式中的数据
下面是如何使用解析值的代码示例。

let Traces = datatable(EventText:string)
[
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=invalid_number, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=15, lockTime=02/17/2016 08:40:00, releaseTime=invalid_datetime, previousLockTime=02/17/2016 08:39:00)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=20, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01, previousLockTime=02/17/2016 08:39:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27, sliceNumber=22, lockTime=02/17/2016 08:41:01, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:01)",
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=invalid_number, sliceNumber=16, lockTime=02/17/2016 08:41:00, releaseTime=02/17/2016 08:41:00, previousLockTime=02/17/2016 08:40:00)"
];
Traces  
| parse EventText with * "resourceName=" resourceName ", totalSlices=" totalSlices:long * "sliceNumber=" sliceNumber:long * "lockTime=" lockTime ", releaseTime=" releaseTime:date "," * "previousLockTime=" previouLockTime:date ")" *  
| project resourceName ,totalSlices , sliceNumber , lockTime , releaseTime , previousLockTime

还可以查看SO1 和SO2 以及相关讨论。

Answer 2

所以我的正则表达式确实有点错误。我像这样更正了它，现在看来我得到了正确的结果：

print m = '18/03/2020 07:08:23 1164 PACKET 000000C164RF56B0 UDP Rcv 10.128.151.34 076e Q [2021-05-17 07:33:41.0000000] A (10)indelpus03(6)kworld(4)kay(3)com(0)' | extend Message = extract(@'\[(\d{4}.*\d{2}.*\d{2})\s.*]', 1, m)

对于 CreatedDate 的非常具体的问题，我这样做了（作为测试和功能）：

IntuneDevices | extend  Trace=CreatedDate | extend Crea = extract(@'(\d{4}.*\d{2}.*\d{2})\s.*', 1, Trace) | project Crea, Trace