英文:
How can I find a specific element in a dynamic array in KQL?
问题
在KQL中如何查找动态数组中的特定元素?
例如,我在KQL中有一个JSON数组(即字符串)[{"key": "foo", "val": "bar"}, {"key": "a", "val": "b"}]。现在我想找出具有"a"键的对象的val属性的值。它可以在任何索引位置,不仅仅在上面示例中的索引1。
我找到了array_index_of函数。但它似乎不接受任何谓词,它只接受索引,而我事先不知道索引。
在KQL中是否有任何方法可以查询满足某些条件的JSON数组中的项?
我尝试了mv-expand,但它似乎将key和val分开了:
datatable (b: dynamic)
[
dynamic({"key": "foo", "val": "bar"}),
dynamic({"key": "a", "val": "b"})
]
| mv-expand b
英文:
How can I find a specific element in a dynamic array in KQL?
E.g. I have the json array (i.e. a string) [{"key": "foo", "val": "bar"}, {"key": "a", "val": "b"}] in KQL. Now I want to find out the value of the property val for the objects with the "a" key. It can be at any index, not only at the index 1 as it is in the example above.
I found the array_index_of function. But it does not seem to accept any predicates, it accepts only the index and I don't know the index in my case beforehand.
Are there any means to query the JSON array for an item which satisfies some conditions in KQL?
I tried the mv-expand, but it seems to separate the key from the val:
datatable (b: dynamic)
[
dynamic({"key": "foo", "val": "bar"}),
dynamic({"key": "a", "val": "b"})
]
| mv-expand b
答案1
得分: 1
在KQL中,您可以使用mv-expand运算符来处理动态数组,然后使用mv-apply运算符根据条件过滤元素。在您的情况下,要查找具有键'a'的值,您可以使用以下代码:
datatable jsonString string
[
'{"key": "foo", "val": "bar"}, {"key": "a", "val": "b"}',
'{"key": "x", "val": "y"}, {"key": "a", "val": "z"}'
]
| mv-apply parsedJson = parse_json(jsonString) on (
project key = tostring(parsedJson['key']), val = tostring(parsedJson['val'])
)
| where key == "a"
| project val
mv-apply parsedJson = parse_json(jsonString) on (...) 使用parse_json函数将"jsonString"列中的JSON字符串转换为对象。然后使用mv-apply运算符将此解析应用于数据表的每一行,创建新的"key"和"val"列,并提取值。
where key == "a" 这会过滤行,仅保留"key"为"a"的行。
执行查询后,您将获得包含具有"a"键的对象值的表。
编辑:
要在同一行上获取"key"和"val",您可以使用mv-apply运算符与project语句。这将允许您将投影应用于动态数组的每个元素,并将属性"key"和"val"合并到单个行中。
datatable jsonString string
[
'{"key": "foo", "val": "bar"}, {"key": "a", "val": "b"}',
'{"key": "x", "val": "y"}, {"key": "a", "val": "z"}'
]
| mv-apply parsedJson = parse_json(jsonString) on (
project key = tostring(parsedJson['key']), val = tostring(parsedJson['val'])
)
| where key == "a"
| project key, val
对于我提供的示例数据,输出如下:
| key | val |
|-----|-----|
| a | b |
| a | z |
英文:
In KQL, you can use the mv-expand operator to work with dynamic arrays and then use the mv-apply operator to filter the elements based on a condition. In your case, so to find value of 'var' with the key of 'a' you would want something in the area of:
datatable jsonString string
[
'{"key": "foo", "val": "bar"}, {"key": "a", "val": "b"}',
'{"key": "x", "val": "y"}, {"key": "a", "val": "z"}'
]
| mv-apply parsedJson = parse_json(jsonString) on (
project key = tostring(parsedJson['key']), val = tostring(parsedJson['val'])
)
| where key == "a"
| project val
mv-apply parsedJson = parse_json(jsonString) on (...) The parse_json function is used to convert the JSON strings in the "jsonString" column into objects. The mv-apply operator is then used to apply this parsing to each row of the datatable, creating new columns "key" and "val" with extracted values.
where key == "a" This filters the rows to keep only those where the "key" is "a"
After executing the query, you'll get a table containing the values for the objects with the "a" key
Edit:
To get the key and val on the same row, you can use the mv-apply operator with the project statement. This will let you apply a projection to each element of the dynamic array and merge the properties key and val into a single row.
datatable jsonString string
[
'{"key": "foo", "val": "bar"}, {"key": "a", "val": "b"}',
'{"key": "x", "val": "y"}, {"key": "a", "val": "z"}'
]
| mv-apply parsedJson = parse_json(jsonString) on (
project key = tostring(parsedJson['key']), val = tostring(parsedJson['val'])
)
| where key == "a"
| project key, val
Output for me with my example data is:
| key | val |
|-----|-----|
| a | b |
| a | z |
答案2
得分: 1
现在我想找出具有“a”键的对象的属性val的值。
我已在我的环境中复制并列出了预期的结果:
您只需使用**bag_unpack()**,然后像下面这样获取a的值:
[
dynamic({"key": "foo", "val": "bar"}),
dynamic({"key": "a", "val": "b"})
]
| evaluate bag_unpack(b)
| where key contains "a";
输出:
您是否知道为什么在我的上面示例中,它会将一个dynamic分成两个部分吗?例如,键foo和值bar最终分别出现在不同的行中。
mv-expand根据逗号“,”和换行符将dynamic数组分成两部分,因此它会分割成这样,这是预期的行为。
英文:
>Now I want to find out the value of the property val for the objects with the "a" key.
I have reproduced in my environment and below are expected results:
You can just use bag_unpack() and then get the value of a like below:
datatable (b: dynamic)
[
dynamic({"key": "foo", "val": "bar"}),
dynamic({"key": "a", "val": "b"})
]
|evaluate bag_unpack(b)
| where key contains "a"
Output:
>Do you happen to know, why in my example above does it split one dynamic into two pieces? E.g. the key foo and the val bar end up in different rows.
>
mv-exapnd divides the dynamic array based on commas "," and new line so it divides like that and this is an expected behavior.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论