场景 | SQL语句 | SPL语句 |
数据过滤 | select * where Type='write'
| | where Type='write'
|
字段处理与筛选 | 精确选择字段,并将其重命名 select "__tag__:node" as node, path
| 精确选择字段,并重命名。 | project node="__tag__:node", path
按模式选择字段。 | project -wildcard "__tag__:*"
重命名部分字段,不影响其他字段。 | project-rename node="__tag__:node"
按模式排除字段。 | project-away -wildcard "__tag__:*"
|
数据规整 (调用SQL函数) | 转换数据类型、时间解析等 select
cast(Status as BIGINT) as Status,
date_parse(Time, '%Y-%m-%d %H:%i') AS Time
| 转换数据类型、时间解析等 | extend Status=cast(Status as BIGINT), extend Time=date_parse(Time, '%Y-%m-%d %H:%i')
|
字段提取 | 正则提取 select
regexp_extract(protocol, '\w+') as scheme,
regexp_extract(protocol, '\d+') as version
JSON提取 select
json_extract(content, '$.0.time') as time,
json_extract(content, '$.0.msg') as msg
| 正则提取:一次性匹配。 | parse-regexp protocol, '(\w+)/(\d+)' as scheme, version
JSON提取:全部展开。 | parse-json -path='$.0' content
CSV提取。 | parse-csv -delim='^_^' content as ip, time, host
|