You specify the pattern to be identified and the names of the properties to create. Use the parse operator in your query to create one or more custom properties that can be extracted from a string expression. When the data you want to parse can be identified by a pattern repeated across records, you can use different operators in the Kusto Query Language to extract the specific piece of data into one or more new properties. This approach creates custom properties in the table that can be used by queries like any other property. Can create overhead when you run complex logic against very large record sets (billions of records).įor more information on parsing data as it's collected, see Structure of transformation in Azure Monitor.Must replicate parsing logic in multiple queries.This drawback can be mitigated by using functions to simulate a table. Flexible parsing options, including predefined logic for particular data structures.Changes in logic can be applied immediately to all data.Applies to any data, including data that's already been collected.When you parse data at query time, you include logic in your query to parse data into multiple fields. Increases latency time for collecting data.If you change the parsing logic, it will only apply to new data.Can't include data that's already been collected. Better query performance because the query doesn't need to perform parsing.Easier to query the collected data because you don't need to include parse commands in the query.Use transformations to parse data at collection time and define which columns to send the parsed data to. You can parse data either at ingestion time when the data is collected or at query time when you analyze the data with a query. To parse data at query time, you need Microsoft.OperationalInsights/workspaces/query/*/read permissions, as provided by the Log Analytics Reader built-in role, for example.To parse data at collection time, you need Microsoft.Insights/dataCollectionRuleAssociations/* permissions, as provided by the Log Analytics Contributor built-in role, for example.This article describes different options for parsing log data in Azure Monitor when the data is ingested and when it's retrieved in a query, comparing the relative advantages for each. By creating separate properties for the different values, you can search and aggregate on each one. A common example is a custom log that collects an entire log entry with multiple values into a single property. Parsing this data into multiple properties makes it easier to use in queries. Some log data collected by Azure Monitor will include multiple pieces of information in a single property.
0 kommentar(er)
