在Azure Log Analytics中,有什么类似于Splunk的查找表吗?(https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Lookup)
基本上,一种将值映射到其他值的方法,即:
> value1 => value11
> value2 => value22
答案 0 :(得分:0)
意识到这已经有4个月了,但我遇到了类似的问题,可能会帮助某些人继续前进。您必须定义一个数据表,然后将其连接起来作为查找表。文档样本:
let DimTable = datatable(EventID:int, eventName:string)
[
4658, "The handle to an object was closed",
4656, "A handle to an object was requested",
4690, "An attempt was made to duplicate a handle to an object",
4663, "An attempt was made to access an object",
5061, "Cryptographic operation",
5058, "Key file operation"
];
SecurityEvent
| join kind = inner
DimTable on EventID
| summarize count() by eventName
然后这样呈现 output
查看本文档的查找表部分:https://docs.loganalytics.io/docs/Learn/Tutorials/Joins---cross-analysis。在找到这个引用之前,我最终完成了大部分工作:/。
您还可以创建数据表,然后保存该搜索并加入已保存的搜索,而不需要在每个查询中定义表。
