英文:
KQL Azure Log Analytics can't parse datetime from regex expression
问题
给定一个具有列 "RawData" 和 "_ResourceId" 的表,其中 "_ResourceId" 是 Azure ARM ID,我想从服务器日志文件中解析一个字符串,并将字符串的部分内容提取到我的自定义表中以供以后分析。
在 Azure Log Analytics 编辑器中的 Kusto KQL 查询如下:
suggest_CL
| project dt = todatetime(extract("^([\\:0-9]+)\\,([0-9]+)", 1,
"09:08:52,198 INFO [web.org.perfmon4j.extras.jbossweb7.P.....")),
dtstr = extract("^([\\:0-9]+)\\,([0-9]+)", 1,
"09:08:52,198 INFO [web.org.perfmon4j.extras.jbossweb7.P....."),
statictimestr = "09:09:52",
statictime = todatetime("09:09:52"),
_ResourceId, RawData
其中 suggest_CL 是自定义表。
dtstr 列显示正则表达式有效并返回正确的时间值。
我包含了一些测试字符串:
statictimestr = "09:09:52",
这是一个简单的仅包含时间的字符串。文档 表示如果不包含日期,它将使用今天的日期。
statictime = todatetime("09:09:52"),
这是上述字符串转换为 datetime 格式。
输出如下:
| dt [UTC] | dtstr | statictimestr | statictime [UTC] |
|---|---|---|---|
| 09:08:52 | 09:09:52 | 2023-06-15T09:09:52Z |
dt 列为空,表示 todatetime(...) 表达式计算结果为 null。statictime 列标注为 [UTC],因此时间格式表达式的解析对于字符串文字是成功的。输出 isnull(todatetime(...)) 显示为 true。
extract(regex) 表达式的输出未正确解析。
另一个 SO 问题 回答说格式不正确。问题似乎比那更复杂,可能涉及到处理函数表达式作为 todatetime() 参数的 bug。这种可能性在其他问题中也有提到。
有什么想法吗?
英文:
Given a table with columns "RawData" and "_ResourceId", which is the Azure ARM ID, I want to parse a string from a server log file like:
"09:08:52,198 INFO [web.org.perfmon4j.extras.jbossweb7.P....."
and pull parts of the string into my custom table for later analysis.
The Kusto KQL query in the Azure Log Analytics editor:
suggest_CL
| project dt = todatetime(extract("^([\\:0-9]+)\\,([0-9]+)", 1,
"09:08:52,198 INFO [web.org.perfmon4j.extras.jbossweb7.P")),
dtstr = extract("^([\\:0-9]+)\\,([0-9]+)", 1,
"09:08:52,198 INFO [web.org.perfmon4j.extras.jbossweb7.P"),
statictimestr = "09:09:52",
statictime = todatetime("09:09:52"),
_ResourceId, RawData
where suggest_CL is the Custom Table
The dtstr column shows that the regex works and returns the correct time value.
I include some test strings:
statictimestr = "09:09:52",
This is a simple time only string. The doc says it will use today's date if the date is not included.
statictime = todatetime("09:09:52"),
This is the above string converted to datetime
The output is
| dt [UTC] | dtstr | statictimestr | statictime [UTC] |
|---|---|---|---|
| 09:08:52 | 09:09:52 | 2023-06-15T09:09:52Z |
and the dt column is empty, implying that the todatetime(...) expression evaluated to null. The statictime column is noted as [UTC], so the parsing of the time-only expression was successful for the string literal. Outputting isnull(todatetime(...)) shows true.
The output of the extract(regex) expression is NOT parsed correctly.
Another SO question answers by saying the format is incorrect. There seems to be more problem here than that, like a bug handling function expressions as an argument to todatetime(). That possibility was expressed in the other question.
Any ideas?
答案1
得分: 0
todatetime() 在常量值和计算值上有不同的实现 - 不同的格式集在两者之间不支持相同。官方支持的格式集(对于两者)在这里有文档记录。
这就是为什么对于不受支持的格式,当您提供一个常量值时,它可能对您有效,但在其他情况下可能不起作用。
对于不受支持的格式,您可以尝试使用parse运算符解析单独的日期部分,然后使用make_datetime()函数将它们创建为日期时间值。
例如:
print input = "09:08:52,198 INFO [web.org.perfmon4j.extras.jbossweb7.P....."
| parse input with hours:int ":" minutes:int ":" seconds:double "," *
| extend dt = make_datetime(datetime_part("Year", now()), datetime_part("Month", now()), datetime_part("Day", now()), hours, minutes, seconds)
英文:
todatetime() has different implementations for constant values and for calculated values - not the same set of formats is supported in both. The official set of supported formats (for both) is documented here.
This is why for an unsupported format, it may work for you when you provide a constant value, but may not otherwise.
For unsuppported formats, one thing you could try is to parse the separate date parts using the parse operator, then use the make_datetime() function to create a datetime value out of them.
For example:
print input = "09:08:52,198 INFO [web.org.perfmon4j.extras.jbossweb7.P....."
| parse input with hours:int ":" minutes:int ":" seconds:double "," *
| extend dt = make_datetime(datetime_part("Year", now()), datetime_part("Month", now()), datetime_part("Day", now()), hours, minutes, seconds)
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论