Scenario | SQL statement | SPL statement |
Data filtering | select * where Type='write'
| | where Type='write'
|
Field processing and filtering | Search for a field in exact mode and rename the field. select "__tag__:node" as node, path
| Search for a field in exact mode and rename the field. | project node="__tag__:node", path
Search for fields by mode. | project -wildcard "__tag__:*"
Rename a field without affecting other fields. | project-rename node="__tag__:node"
Remove fields by mode. | project-away -wildcard "__tag__:*"
|
Data standardization (SQL function calls) | Convert a data type and parse time. select
cast(Status as BIGINT) as Status,
date_parse(Time, '%Y-%m-%d %H:%i') AS Time
| Convert a data type and parse time. | extend Status=cast(Status as BIGINT), extend Time=date_parse(Time, '%Y-%m-%d %H:%i')
|
Field extraction | Regular expression-based extraction select
regexp_extract(protocol, '\w+') as scheme,
regexp_extract(protocol, '\d+') as version
JSON data extraction select
json_extract(content, '$.0.time') as time,
json_extract(content, '$.0.msg') as msg
| Regular expression-based extraction: one-time matching | parse-regexp protocol, '(\w+)/(\d+)' as scheme, version
JSON data extraction: full expansion | parse-json -path='$.0' content
CSV data extraction | parse-csv -delim='^_^' content as ip, time, host
|