場(chǎng)景 | SQL語(yǔ)句 | SPL語(yǔ)句 |
數(shù)據(jù)過(guò)濾 | select * where Type='write'
| | where Type='write'
|
字段處理與篩選 | 精確選擇字段,并將其重命名 select "__tag__:node" as node, path
| 精確選擇字段,并重命名。 | project node="__tag__:node", path
按模式選擇字段。 | project -wildcard "__tag__:*"
重命名部分字段,不影響其他字段。 | project-rename node="__tag__:node"
按模式排除字段。 | project-away -wildcard "__tag__:*"
|
數(shù)據(jù)規(guī)整 (調(diào)用SQL函數(shù)) | 轉(zhuǎn)換數(shù)據(jù)類(lèi)型、時(shí)間解析等 select
cast(Status as BIGINT) as Status,
date_parse(Time, '%Y-%m-%d %H:%i') AS Time
| 轉(zhuǎn)換數(shù)據(jù)類(lèi)型、時(shí)間解析等 | extend Status=cast(Status as BIGINT), extend Time=date_parse(Time, '%Y-%m-%d %H:%i')
|
字段提取 | 正則提取 select
regexp_extract(protocol, '\w+') as scheme,
regexp_extract(protocol, '\d+') as version
JSON提取 select
json_extract(content, '$.0.time') as time,
json_extract(content, '$.0.msg') as msg
| 正則提取:一次性匹配。 | parse-regexp protocol, '(\w+)/(\d+)' as scheme, version
JSON提取:全部展開(kāi)。 | parse-json -path='$.0' content
CSV提取。 | parse-csv -delim='^_^' content as ip, time, host
|