情境 | SQL語句 | SPL語句 |
資料過濾 | select * where Type='write'
| | where Type='write'
|
欄位處理與篩選 | 精確選擇欄位,並將其重新命名 select "__tag__:node" as node, path
| 精確選擇欄位,並重新命名。 | project node="__tag__:node", path
按模式選擇欄位。 | project -wildcard "__tag__:*"
重新命名部分欄位,不影響其他欄位。 | project-rename node="__tag__:node"
按模式排除欄位。 | project-away -wildcard "__tag__:*"
|
資料規整 (調用SQL函數) | 轉換資料類型、時間解析等 select
cast(Status as BIGINT) as Status,
date_parse(Time, '%Y-%m-%d %H:%i') AS Time
| 轉換資料類型、時間解析等 | extend Status=cast(Status as BIGINT), extend Time=date_parse(Time, '%Y-%m-%d %H:%i')
|
欄位提取 | 正則提取 select
regexp_extract(protocol, '\w+') as scheme,
regexp_extract(protocol, '\d+') as version
JSON提取 select
json_extract(content, '$.0.time') as time,
json_extract(content, '$.0.msg') as msg
| 正則提取:一次性匹配。 | parse-regexp protocol, '(\w+)/(\d+)' as scheme, version
JSON提取:全部展開。 | parse-json -path='$.0' content
CSV提取。 | parse-csv -delim='^_^' content as ip, time, host
|