问题描述
因此,我想使用流分析作业捕获 Azure 发送到 EventHub 的管理事件,并仅将符合特定条件的事件转发到 Azure 函数。事件出现在这样的对象中(经过大量修剪以简化):
{
"records": [
{
"resourceId": "<resource_path>","operationName": "MICROSOFT.COmpuTE/VIRTUALMACHInes/WRITE",},{
"time": "2021-03-19T19:19:56.0639872Z","category": "Administrative","resultType": "Accept","resultSignature": "Accepted.Created","properties": {
"statusCode": "Created","serviceRequestId": "<trimmed>","eventCategory": "Administrative","message": "Microsoft.Compute/virtualMachines/write","hierarchy": "<trimmed>"
},"tenantId": "<trimmed>"
}
],"EventProcessedUtcTime": "2021-03-19T19:25:21.1471185Z","PartitionId": 1,"EventEnqueuedUtcTime": "2021-03-19T19:20:43.9080000Z"
}
我想根据以下条件过滤查询:records[0].operationName = 'MICROSOFT.COmpuTE/VIRTUALMACHInes/WRITE' AND records[1].properties.statusCode = 'Created'。为了实现这一点,我从以下查询开始,该查询返回此记录,但缺少我需要匹配的条件之一 (statusCode)
SELECT
records
INTO
[output]
FROM
[input]
WHERE
GetArrayElement(records,0).operationName = 'MICROSOFT.COmpuTE/VIRTUALMACHInes/WRITE'
尝试下面的查询不起作用(它返回 0 个匹配项):
SELECT
records
INTO
[output]
FROM
[input]
WHERE
GetArrayElement(records,0).operationName = 'MICROSOFT.COmpuTE/VIRTUALMACHInes/WRITE'
AND GetArrayElement(records,1).properties.statusCode = 'OK'
有人知道这个吗?
解决方法
找到解决方案!我需要使用 GetRecordPropertyValue,如下所示:
SELECT
records
INTO
[output]
FROM
[input]
WHERE
GetArrayElement(records,0).operationName = 'MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE'
AND GetRecordPropertyValue(GetArrayElement(records,1).properties,'statusCode') = 'Created'
对我来说看起来有点笨拙,但它奏效了!