azure 如何在第二个查询中使用第一个KQL查询的结果来过滤结果?

q8l4jmvw  于 2022-12-30  发布在  其他
关注(0)|答案(2)|浏览(167)

我的第一个KQL查询返回了一个域名列表,然后我想用这些来过滤另一个KQL查询。我只是不知道语法。有没有办法在KQL中使用contains()操作符和for循环/迭代?
KQL -质询1

let hostnames = () {
    AllDomains 
    | where hostname !contains "default.com" and hostname != ""
    | distinct hostname
   }

KQL -质询2

let start_date = ago(10m);
let end_date = now();
LogEvents 
| where env_time between (start_date .. end_date)
| where headers  contains "X-Forwarded-For"
| where queryString contains (hostnames()) //This is what is needed to filter on all the domains from first query.
| project queryString
kgsdhlau

kgsdhlau1#

如果您能提供一个数据外观和您要实现的目标的示例,那就更好了,但是我认为您应该使用has_any而不是contains

mu0hgdu0

mu0hgdu02#

这可能行得通:

let hostnames =
    AllDomains 
    | where isnotempty(hostname) and hostname !has "default.com"
    | distinct hostname
;
let start_date = ago(10m);
let end_date = now();
LogEvents 
| where env_time between (start_date .. end_date)
| where headers contains "X-Forwarded-For"
| where queryString has_any (hostnames)
| project queryString

相关问题