Develop Reference

Project Nested values in KQL from target resources - azure-data-explorer

I am new to KQL, struggling to project values inside target resources but not able to retrieve the required values can you please help me below.
AuditLogs
| where ActivityDisplayName contains "Update user" and InitiatedBy contains "Testuser"
| where TargetResources contains "Id=xxxxxxxx"
wanted to project id and userprinciplename which are coming inside the targetresources, attached screenshot below link for reference
https://ibb.co/DpzZkks
Sample Json
[{
"id": "xyz",
"displayName": null,
"type": "User",
"userPrincipalName": "ABC",
"modifiedProperties": [{
"displayName": "xxxxxx",
"oldValue": "xxxxx",
"newValue": "yyyyy"
},
{
"displayName": "xxxxx",
"oldValue": "[{xxxx}]",
"newValue": "[{xxxx}]"
},
{
"displayName": "Included Updated Properties",
"oldValue": null,
"newValue": "xxxxx"
},
{
"displayName": "TargetId.UserType",
"oldValue": null,
"newValue": "\"Member\""
}
],
"administrativeUnits": []
}]

if TargetResources is of type string, you can use parse_json() to make it of type dynamic, then access its properties as follows:
| extend TargetResources = parse_json(TargetResources)
| project A = tostring(TargetResources.PropertyA),
B = tolong(TargetResources.PropertyB),
C = TargetResources.PropertyC
if TargetResources is already of type dynamic, you can simply access its properties as shown above, without having to invoke parse_json().
relevant documentation topics:
the dynamic data type
the parse_json() function
for example:
print input = '{"key1":1, "key2":"value2", "key3":{"key4":4.4}}'
| extend input = parse_json(input)
| project v1 = tolong(input.key1),
v2 = tostring(input.key2),
v4 = todouble(input.key3.key4)
v1
v2
v4
1
value2
4.4
UPDATE, based on the provided data sample
when dealing with arrays, you can use mv-expand or mv-apply to expand elements in the arrays for further processing
examples:
examples:
print TargetResources = dynamic([{
"id": "xyz",
"displayName": null,
"type": "User",
"userPrincipalName": "ABC",
"modifiedProperties": [{
"displayName": "xxxxxx",
"oldValue": "xxxxx",
"newValue": "yyyyy"
},
{
"displayName": "xxxxx",
"oldValue": "[{xxxx}]",
"newValue": "[{xxxx}]"
},
{
"displayName": "Included Updated Properties",
"oldValue": null,
"newValue": "xxxxx"
},
{
"displayName": "TargetId.UserType",
"oldValue": null,
"newValue": "\"Member\""
}
],
"administrativeUnits": []
}])
| mv-expand TargetResources
| project TargetResources.id, TargetResources.userPrincipalName
TargetResources_id
TargetResources_userPrincipalName
xyz
ABC
print TargetResources = dynamic([{
"id": "xyz",
"displayName": null,
"type": "User",
"userPrincipalName": "ABC",
"modifiedProperties": [{
"displayName": "xxxxxx",
"oldValue": "xxxxx",
"newValue": "yyyyy"
},
{
"displayName": "xxxxx",
"oldValue": "[{xxxx}]",
"newValue": "[{xxxx}]"
},
{
"displayName": "Included Updated Properties",
"oldValue": null,
"newValue": "xxxxx"
},
{
"displayName": "TargetId.UserType",
"oldValue": null,
"newValue": "\"Member\""
}
],
"administrativeUnits": []
}])
| mv-expand TargetResources
| mv-expand TargetResources.modifiedProperties
| project TargetResources_modifiedProperties
TargetResources_modifiedProperties
{ "displayName": "xxxxxx", "oldValue": "xxxxx", "newValue": "yyyyy"}
{ "displayName": "xxxxx", "oldValue": "[{xxxx}]", "newValue": "[{xxxx}]"}
{ "displayName": "Included Updated Properties", "oldValue": null, "newValue": "xxxxx"}
{ "displayName": "TargetId.UserType", "oldValue": null, "newValue": ""Member""}

Related

For the below JSON, I need the result.id and result.name output using jq for the ones having
authorization.roles[].name == "Supervisor"
What is the command for jq to to that ? For the below json we expect 1231 id and name AAAA alone as output as that only has Supervisor as role
{
"results": [{
"id": "1231",
"name": "AAAA",
"div": {
"id": "AAA",
"name": "DDSAA",
"selfUri": ""
},
"chat": {
"jabberId": "nn"
},
"department": "Shared Services Organization",
"email": "Test#gmail.com",
"primaryContactInfo": [{
"address": "Test#gmail.com",
"mediaType": "EMAIL",
"type": "PRIMARY"
}],
"addresses": [],
"state": "active",
"title": "AAA",
"username": "Test#gmail.com",
"version": 27,
"authorization": {
"roles": [{
"id": "01256689-c5ed-43a5-b370-58522402830d",
"name": "AA"
}, {
"id": "1e65b009-9f8f-4eef-9844-83944002c095",
"name": "BBB"
}, {
"id": "8a19f1ff-40e5-45d2-b758-14550a173323",
"name": "CCC"
}, {
"id": "d02250e2-7071-46bf-885b-43edff2d88a6",
"name": "Supervisor"
}]
}
}, {
"id": "1255",
"name": "BBBB",
"div": {
"id": "AAA",
"name": "DDSAA",
"selfUri": ""
},
"chat": {
"jabberId": "nn"
},
"department": "Shared Services Organization",
"email": "Test#gmail.com",
"primaryContactInfo": [{
"address": "Test#gmail.com",
"mediaType": "EMAIL",
"type": "PRIMARY"
}],
"addresses": [],
"state": "active",
"title": "AAA",
"username": "Test#gmail.com",
"version": 27,
"authorization": {
"roles": [{
"id": "01256689-c5ed-43a5-b370-58522402830d",
"name": "AA"
}, {
"id": "1e65b009-9f8f-4eef-9844-83944002c095",
"name": "BBB"
}, {
"id": "8a19f1ff-40e5-45d2-b758-14550a173323",
"name": "CCC"
}, {
"id": "d02250e2-7071-46bf-885b-43edff2d88a6",
"name": "Tester"
}]
}
}]
}

Don't put commas before closing brackets or curly braces (it's not valid JSON). Your input should look like this:
{
"results": [
{
"id": "1231",
"name": "AAAA",
"div": {
"id": "AAA",
"name": "DDSAA",
"selfUri": ""
},
"chat": {
"jabberId": "nn"
},
"department": "Shared Services Organization",
"email": "Test#gmail.com",
"primaryContactInfo": [
{
"address": "Test#gmail.com",
"mediaType": "EMAIL",
"type": "PRIMARY"
}
],
"addresses": [],
"state": "active",
"title": "AAA",
"username": "Test#gmail.com",
"version": 27,
"authorization": {
"roles": [
{
"id": "01256689-c5ed-43a5-b370-58522402830d",
"name": "AA"
},
{
"id": "1e65b009-9f8f-4eef-9844-83944002c095",
"name": "BBB"
},
{
"id": "8a19f1ff-40e5-45d2-b758-14550a173323",
"name": "CCC"
},
{
"id": "d02250e2-7071-46bf-885b-43edff2d88a6",
"name": "Supervisor"
}
]
}
},
{
"id": "1255",
"name": "BBBB",
"div": {
"id": "AAA",
"name": "DDSAA",
"selfUri": ""
},
"chat": {
"jabberId": "nn"
},
"department": "Shared Services Organization",
"email": "Test#gmail.com",
"primaryContactInfo": [
{
"address": "Test#gmail.com",
"mediaType": "EMAIL",
"type": "PRIMARY"
}
],
"addresses": [],
"state": "active",
"title": "AAA",
"username": "Test#gmail.com",
"version": 27,
"authorization": {
"roles": [
{
"id": "01256689-c5ed-43a5-b370-58522402830d",
"name": "AA"
},
{
"id": "1e65b009-9f8f-4eef-9844-83944002c095",
"name": "BBB"
},
{
"id": "8a19f1ff-40e5-45d2-b758-14550a173323",
"name": "CCC"
},
{
"id": "d02250e2-7071-46bf-885b-43edff2d88a6",
"name": "Tester"
}
]
}
}
]
}
Then, you can use select to narrow down your target objects (here using any to check if at least one of the role names matches your string -- thx #ikegami), then output any part of the resulting object(s):
jq '
.results[]
| select(any(.authorization.roles[]; .name == "Supervisor"))
| {id, name}
'
{
"id": "1231",
"name": "AAAA"
}
Demo
If instead of a JSON output you need raw text, use the -r (or --raw-output) flag, and provide the fields you are interested in:
jq -r '
.results[]
| select(any(.authorization.roles[]; .name == "Supervisor"))
| .id, .name
'
1231
AAAA
Demo

Is there a way to setup a where clause in Kusto to get specific records with child records
Like if I wanted Kyle from below
Where address has Code = street and that value= grant AND Code = Number and that value= 55555
{
"Firstname": "Bob",
"lastName": "stevens"
"address": [
{
"code": "street",
"value": "Olsen"
},
{
"code": "Number",
"value": "123456"
}
},
{
"Firstname": "Kyle",
"lastName": "richards"
"address": [
{
"code": "street",
"value": "grant"
},
{
"code": "Number",
"value": "55555"
}
}

you could try using mv-apply, and filter for records in which the number of conditions met is as expected:
datatable(i:int, d:dynamic)
[
1, dynamic({"Firstname": "Bob", "lastName": "stevens", "address": [{ "code": "street", "value": "Olsen" }, { "code": "Number", "value": "123456" }]}),
2, dynamic({"Firstname": "Kyle", "lastName": "richards", "address": [{ "code": "street", "value": "grant" }, { "code": "Number", "value": "55555" }]}),
3, dynamic({"Firstname": "Kyle", "lastName": "richards", "address": [{ "code": "street", "value": "grant" }, { "code": "Number", "value": "11111" }]})
]
| mv-apply address = d.address on (
summarize c = countif((address.code == 'street' and address.value == 'grant') or
(address.code == 'Number' and address.value == 55555))
| where c == 2
)
| project-away c
i
d
2
{ "Firstname": "Kyle", "lastName": "richards", "address": [ { "code": "street", "value": "grant" }, { "code": "Number", "value": "55555" } ]}
update: in reply to your comment:
I'm trying to do this with a sproc, Would i need to put this into a datatable then query it like that? If so how do I put a query into a datatable
First, there are no stored procedures in Kusto. there are stored functions.
Second, if you want to invoke a similar logic over an existing table, you can define a stored function that takes a tabular argument as its input. And, optionally, use the invoke operator.
For example:
.create function my_function(T:(d:dynamic)) {
T
| mv-apply address = d.address on (
summarize c = countif((address.code == 'street' and address.value == 'grant') or
(address.code == 'Number' and address.value == 55555))
| where c == 2
)
| project-away c
}
let my_table = datatable(i:int, d:dynamic)
[
1, dynamic({"Firstname": "Bob", "lastName": "stevens", "address": [{ "code": "street", "value": "Olsen" }, { "code": "Number", "value": "123456" }]}),
2, dynamic({"Firstname": "Kyle", "lastName": "richards", "address": [{ "code": "street", "value": "grant" }, { "code": "Number", "value": "55555" }]}),
3, dynamic({"Firstname": "Kyle", "lastName": "richards", "address": [{ "code": "street", "value": "grant" }, { "code": "Number", "value": "11111" }]})
];
my_table
| invoke my_function()

I have this json format I'm making an API using ASP.NET.
{
"0": {
"order_id": 11748,
"complete_date": "2021-04-19 14:48:41",
"shipping_code": "aramex.aramex",
"awbs": [
{
"aramex_id": "1314",
"order_id": "11748",
"awb_number": "46572146154",
"reference_number": "11748",
"date_added": "2021-03-04 03:46:58"
}
],
"payment": {
"method": {
"name": "الدفع عند الاستلام",
"code": "cod"
},
"invoice": [
{
"code": "sub_total",
"value": "120.8700",
"value_string": "120.8700 SAR",
"title": "الاجمالي"
},
{
"code": "shipping",
"value": "0.0000",
"value_string": "0.0000 SAR",
"title": "ارمكس"
},
{
"code": "coupon",
"value": "-13.9000",
"value_string": "-13.9000 SAR",
"title": "قسيمة التخفيض(RMP425)"
},
{
"code": "cashon_delivery_fee",
"value": "5.0000",
"value_string": "5.0000 SAR",
"title": "رسوم الدفع عند الاستلام"
},
{
"code": "tax",
"value": "18.1300",
"value_string": "18.1300 SAR",
"title": " ضريبة القيمة المضافة (15%)"
},
{
"code": "total",
"value": "130.1000",
"value_string": "130.1000 SAR",
"title": "الاجمالي النهائي"
}
]
},
"product": [
{
"id": 69,
"name": "مخلط 4 أو دو بيرفيوم للجنسين - 100 مل",
"sku": "45678643230",
"weight": "0.50000000",
"quantity": 1,
"productDiscount": "",
"images": []
}
]
}
}
How can I reach order_id? I made an object let's say its name is obj1 I tried foreach obj1 and storing into a variable obj1.order_id;
It stored null in the variable. the {"0"} is the numbering of orders starts 0-1-2 etc.

You can deserialize that json to Dictionary<string,dynamic> without creating a new class as following:
var values = JsonConvert.DeserializeObject<Dictionary<string, dynamic>>(json);
var orderId = values["0"]["order_id"].ToString();
This will give you 11748 as a result.

I have the following JSON:
{
"code": 201,
"data": {
"type": "Agent",
"id": {
"#type": "Client",
"#id": "88",
"title": "Ing.",
"titleAfter": null,
"name": "Ján",
"surname": "Kašperan",
"idNumber": "8706229411",
"dateOfBirth": null,
"idCardNumber": "OP12345",
"idCardExpirationDate": null,
"idCardType": {
"#type": "IdCardType",
"#id": 1,
"name": "id_card_type.id_card",
"shortName": "OP"
},
"type": 1
}
}
}
I would like to write a JSON path expression so that I want to get the value of "#id": "88",.
My JSON path do not work: $.data.id.#id

Since # is not allowed, access it by the string property name. More information about property accessors can be found on MDN
var json = {
"code": 201,
"data": {
"type": "Agent",
"id": {
"#type": "Client",
"#id": "88",
"title": "Ing.",
"titleAfter": null,
"name": "Ján",
"surname": "Kašperan",
"idNumber": "8706229411",
"dateOfBirth": null,
"idCardNumber": "OP12345",
"idCardExpirationDate": null,
"idCardType": {
"#type": "IdCardType",
"#id": 1,
"name": "id_card_type.id_card",
"shortName": "OP"
},
"type": 1
}
}
}
console.log(json.data.id["#id"])

I'm getting list of all users whom I've followed using following query :-
g.v(2304).out('Follow')
Response :
{
"success": true,
"results":
[
{
"Type": "User",
"CreatedTime": "2016-03-16T18:39:48.5000845Z",
"Username": "funoverflow24x7#gmail.com",
"FirstName": "Joany",
"CoverImageUrl": "https://s3-ap-southeast-1.amazonaws.com/urnotice/OrbitPage/User/Sumit/WallPost/947174ae-3e60-4dd0-877f-cc988fae3888.jpg",
"ImageUrl": "https://s3-ap-southeast-1.amazonaws.com/urnotice/OrbitPage/User/Sumit/WallPost/f4f6901c-64c4-425b-929b-43936c53eaba.png",
"LastName": "Ashtana",
"Gender": "male",
"_id": ​768,
"_type": "vertex"
},
{
"Type": "User",
"CreatedTime": "2016-04-05T16:36:49.3740440Z",
"Username": "urnoticemail#gmail.com",
"FirstName": "Maria",
"CoverImageUrl": "https://s3-ap-southeast-1.amazonaws.com/urnotice/images/companyRectangleImageNotAvailable.png",
"ImageUrl": "https://s3-ap-southeast-1.amazonaws.com/urnotice/users/female_professional.png",
"LastName": "Sharapova",
"Gender": "female",
"_id": ​5120256,
"_type": "vertex"
},
{
"Type": "User",
"CreatedTime": "2016-04-12T07:42:18.8036554Z",
"Username": "abhinavsrivastava189+1#gmail.com",
"FirstName": "Abhi",
"CoverImageUrl": "https://s3-ap-southeast-1.amazonaws.com/urnotice/OrbitPage/User/Sumit/WallPost/afd0d047-0d1c-4391-8f88-95f7775c615f.jpg",
"ImageUrl": "https://s3-ap-southeast-1.amazonaws.com/urnotice/OrbitPage/User/Sumit/WallPost/fd0842d4-579b-4896-9525-945f8f718816.JPG",
"LastName": "Sri",
"Gender": "male",
"_id": ​12800512,
"_type": "vertex"
},
{
"Type": "User",
"CreatedTime": "2016-04-15T07:51:34.3867249Z",
"Username": "786goopchup#gmail.com",
"FirstName": "Goop",
"CoverImageUrl": "",
"ImageUrl": "https://lh3.googleusercontent.com/-XdUIqdMkCWA/AAAAAAAAAAI/AAAAAAAAAAA/4252rscbv5M/photo.jpg",
"LastName": "Chup",
"Gender": "NA",
"_id": ​17928960,
"_type": "vertex"
},
{
"Type": "User",
"CreatedTime": "2016-04-20T03:25:30.0753729Z",
"Username": "sumit#thirdeyeinc.com",
"FirstName": "Kunal",
"CoverImageUrl": "https://s3-ap-southeast-1.amazonaws.com/urnotice/OrbitPage/User/Sumit/WallPost/ee167d15-52bb-4f4f-99fb-038f27eee1dc.jpeg",
"ImageUrl": "https://lh3.googleusercontent.com/-XdUIqdMkCWA/AAAAAAAAAAI/AAAAAAAAAAA/4252rscbv5M/photo.jpg",
"LastName": "Sharma",
"Gender": "NA",
"_id": ​23041024,
"_type": "vertex"
}
],
"version": "2.5.0",
"queryTime": ​21.94298
}
And I'm getting particular user post using following query :
g.v(396800).in('WallPost').sort{ a, b -> b.PostedTime <=> a.PostedTime }.()[0..3].transform{ [postInfo : it, commentsInfo: it.in('Comment').sort{ a, b -> b.PostedTime <=> a.PostedTime }.()[0..5].transform{[commentInfo:it, commentedBy: it.in('Created')]},userInfo:it.in('Created')] }
And I'm getting response :
{
"success": true,
"results": [
{
"postInfo": {
"PostImage": "",
"Type": "Post",
"PostedByUser": "sumit#thirdeyeinc.com",
"PostedTime": "2016-04-29T11:48:17.5069984Z",
"PostedTimeLong": ​635975272975069984,
"PostMessage": "testing new post. on pooja",
"_id": ​30729984,
"_type": "vertex"
},
"commentsInfo": [
],
"userInfo": [
{
"Type": "User",
"CreatedTime": "2016-04-20T03:25:30.0753729Z",
"Username": "sumit#thirdeyeinc.com",
"FirstName": "Kunal",
"CoverImageUrl": "https://s3-ap-southeast-1.amazonaws.com/urnotice/OrbitPage/User/Sumit/WallPost/ee167d15-52bb-4f4f-99fb-038f27eee1dc.jpeg",
"ImageUrl": "https://lh3.googleusercontent.com/-XdUIqdMkCWA/AAAAAAAAAAI/AAAAAAAAAAA/4252rscbv5M/photo.jpg",
"LastName": "Sharma",
"Gender": "NA",
"_id": ​23041024,
"_type": "vertex"
}
]
}
],
"version": "2.5.0",
"queryTime": ​383.759295
}
I want to get post of all users whom i've followed and that in descending order according to PostTime of post Vertex.
I've tried a lot but I'm not getting any approach how can I achieve this.

You are doing it right. Just first get all the vertices whom you are following and apply your get wall post logic on that all vertices, it will give you your desired result.
g.v(2304).out('Follow').in('WallPost').sort {
a, b -> b.PostedTime <=> a.PostedTime
}.()[0..3]
.transform {
[
postInfo: it,
commentsInfo: it.in('Comment').sort {
a, b -> b.PostedTime <=> a.PostedTime
}.()[0..5].
transform {
[
commentInfo: it,
commentedBy: it.in('Created')
]
},
userInfo:it.in('Created')
]
}
So it will give you list of all post of your following and in descending order of PostedTime.