Good day,
Attempting to check IPAddress from SiginLogs with a datatable. I am able to perform the Scalar function ipv4_is_in_range() with a single value. Ips are changed for privacy
ex:
ipv4_is_in_range(IPAddress, '127.0.0.255/24')
When I try to use a declared datatable it does not recognize the values and returns nothing.
ex:
let srcIPs = datatable (checkIP:string) ['127.0.0.1/24'];
SigninLogs
| union srcIPs
| where ipv4_is_in_range( IPAddress, checkIP)
or
let srcIPs = datatable (checkIP:string) [
'127.0.0.1/24',
'8.8.8.8',
'1.1.1.1/16'
];
SigninLogs
| union srcIPs
| where ipv4_is_in_range( IPAddress, checkIP)
if I replace the 'where' with 'extend' I will get one IP address that does show correctly but will include another IP address that is not within that range.
My question is how do I get the function to recognize the values from srcIPs correctly?
#Michael. I went a head a revisited that document and reattempted. The workspace still shows and error when I hover ipv4_lookup stating it is not defined. YET. It still ran, something I didn't attempt. Now the code looks like.
let IP_Data = datatable(network:string)
[
"127.0.0.1",
"8.8.8.8/24",
"192.168.0.1",
"10.0.240.255/21"
];
SigninLogs
| evaluate ipv4_lookup(IP_Data, IPAddress, network)
| where UserType == "Member"
| project-reorder IPAddress, UserPrincipalName
So this code got me what I was looking for. TY all for your assistance.
Answering my own question with working code for record.
Related
For my company I need to extract data from Azure Application Insights.
All the relevant data is stored in the customMeasurements. Currently, the table looks something like this:
name | itemType | customMeasurements
-----------------------------------------------------------
AppName | customEvent | {
Feature1:1,
Feature2:0,
Feature3:0
}
-----------------------------------------------------------
AppName | customEvent | {
Feature1:0,
Feature2:1,
Feature3:0
}
I'm trying to find a Kusto query which will aggregate all enabled features (which would have a value of '1'), but I'm unable to do so.
I tried several things to get this resolved like the following:
customEvents
| extend test = tostring(customMeasurements.["Feature2"])
| summarize count() by test
This actually showed me the number rows that have Feature2 set to '1' but I want to be able to extract all features that have been enabled without specifying them in the query (as they can have custom names).
Could somebody point me in the right direction please
perhaps, something like the following could give you a direction:
datatable(name:string, itemType:string, customMeasurements:dynamic)
[
'AppName', 'customEvent', dynamic({"Feature1":1,"Feature2":0,"Feature3":0}),
'AppName', 'customEvent', dynamic({"Feature1":0,"Feature2":1,"Feature3":0}),
]
| mv-apply customMeasurements on
(
extend feature = tostring(bag_keys(customMeasurements)[0])
| where customMeasurements[feature] == 1
)
| summarize enabled_features = make_set(feature) by name
Assume I have the following table in DDB. One hashkey (Lets call it 'Name'), one range key (lets call it 'Activity'), and one attribute (lets call it 'Date')
|---------------------|------------------|------------------|
| HashKey(S) | RangeKey(S) | Date(S) |
|---------------------|------------------|------------------|
| Sam | Fishing | 2019 |
|---------------------|------------------|------------------|
| Sam | Kayaking | 2019 |
|---------------------|------------------|------------------|
| Peter | Kayaking | 2019 |
|---------------------|------------------|------------------|
I want to do a conditional save on this such that I want to add a new "name + activity" and keep the most up to date date in the DB. So a breakdown of the 2 possibilities would be
1) If there is an existing hash+rangekey already based on what I have passed into the save, I want to check my condition expression and not update if it fails.
2) If it is a new hash+rangekey, I want a new row to be created, and not check my condition expression (since there are no values in the table to check on)
An example of what I tried
public void methodToDoSave() {
final Map<String, ExpectedAttributeValue> expectedAttributes =
getExpectedAttributes(date);
final DynamoDBSaveExpression saveExpression = new DynamoDBSaveExpression()
.withExpected(expectedAttributes);
mapper.save(dbItem, saveExpression);
}
private Map<String, ExpectedAttributeValue> getExpectedAttributes(
final Date date){
final Map expectedAttributeSetupForConditionalUpdate = new HashMap();
expectedAttributeSetupForConditionalUpdate
.put("Date",new ExpectedAttributeValue(new AttributeValue().withS(date))
.withComparisonOperator(ComparisonOperator.LE));
return expectedAttributeSetupForConditionalUpdate;
}
This works fine for doing the conditional checking and success/pass when the hash+range key is already in the table, however if I supply a new range key, the conditional check seems to always fail.
The stack trace for the conditional check is not that useful to explain to me the problem but my assumption is that the conditional check is being applied even for brand new row creations and so it is failing.
Is there a way to get this working in one save operation or will I need to read first, check if exists, if yes then save without the conditional checks, if no save with the conditional checks ?
I was able to leverage Tawan's hint above and do something like this.
final Map expectedAttributeSetupForConditionalUpdate = new HashMap();
expectedAttributeSetupForConditionalUpdate
.put("name", new ExpectedAttributeValue().withExists(false));
expectedAttributeSetupForConditionalUpdate
.put("activity", new ExpectedAttributeValue().withExists(false));
expectedAttributeSetupForConditionalUpdate
.put("Date", new ExpectedAttributeValue(new AttributeValue().withS(date))
.withComparisonOperator(ComparisonOperator.LE));
final DynamoDBSaveExpression saveExpression = new DynamoDBSaveExpression() .withExpected(expectedAttributeSetupForConditionalUpdate)
.withConditionalOperator(ConditionalOperator.OR);
I wasn't able to use the newer Condition expressions since DynamoDB mapper doesn't support them yet in the version I'm using. Essentially this "passes" the conditional check when the row doesn't exist, but uses the date when it does exist.
I have a search request written as
import sqlite3
conn = sqlite3.connect('locker_data.db')
c = conn.cursor()
def search1(teacher):
test = 'SELECT Name FROM locker_data WHERE Name or Email LIKE "%{0}%"'.format(teacher)
data1 = c.execute(test)
return data1
def display1(data1):
Display1 = []
for Name in data1:
temp1 = str(Name[0])
Display1.append("Name: {0}".format(temp1))
return Display1
def locker_searcher(teacher):
data = display1(search1(teacher))
return data
This allows me to search for the row containing "Mr FishyPower (Mr Swag)" or "Mr FishyPower / Mr Swag" with a search input of "FishyPower". However, when I try searching with an input of "Swag", I am then unable to find the same row.
In the search below, it should have given me the same search results.
The database is just a simple 1x1 sqlite3 database containing 'FishyPower / Mr Swag'
Search Error on 'Swag'
Edit: I technically did solve it by limiting the columns being searched to only 'Name' but I intended the code search both the 'Name' and 'Email' columns and output the results as long as the search in within either or both columns.
Edit2: SELECT Name FROM locker_data WHERE Email LIKE "%{0}%" or Name LIKE "%{0}%" was the right way to go.
I'm gonna guess that Mr. FishyPower's email address is something like mrFishyPower#something.com. The query is only comparing Email to teacher. If it was
WHERE Name LIKE "%{0}%"
OR Email LIKE "%{0}%"'
you would (probably) get the result you want.
I have some data in Application Insights Analytics that has a dynamic object as a property of custom dimensions. For example:
| timestamp | name | customDimensions | etc |
|-------------------------|---------|----------------------------------|-----|
| 2017-09-11T19:56:20.000 | Spinner | { | ... |
MyCustomDimension: "hi"
Properties:
context: "ABC"
userMessage: "Some other"
}
Does that make sense? So a key/value pair inside of customDimensions.
I'm trying to bring up the context property to be a proper column in the results. So expected would be :
| timestamp | name | customDimensions | context| etc |
|-------------------------|---------|----------------------------------|--------|-----|
| 2017-09-11T19:56:20.000 | Spinner | { | ABC | ...
MyCustomDimension: "hi"
Properties:
context: "ABC"
userMessage: "Some other"
}
I've tried this:
customEvents | where name == "Spinner" | extend Context = customDimensions.Properties["context"]
and this:
customEvents | where name == "Spinner" | extend Context = customDimensions.Properties.context
but neither seem to work. They give me a column at the end named "Context" but the column is empty - no values.
Any ideas?
EDIT:
Added a picture for clarifying the format of the data:
edited to working answer:
customEvents
| where name == "Spinner"
| extend Properties = todynamic(tostring(customDimensions.Properties))
| extend Context = Properties.context
you need an extra tostring and todynamic in here to get what you expect (and what i expected!)
the explanation i was given:
Dynamic field "promises" you the upper/outer level of key / value access (this is how you access customDimensions.Properties).
Accessing internal structure of that json depends on the exact format of customDimensions.Properties content. It doesn’t have to be json by itself. Even if it looks like a well structured json, it still may be just a string that is not exactly well formatted json.
So basically, it by default won't attempt to parse strings inside of a dynamic/json block because they don't want to spend a lot of time possibly trying and failing to convert nested content to json infinitely.
I still think that extra tostring shouldn't be required inside there, since todynamic should already be allowing both string and dynamic in validly, so i'm checking to see if the team that owns the query stuff can make that step better.
Thanks sooo much.. just to expand on the answer from John. We needed to graph duration of end-points using custom events. This query made it so we could specify the duration as our Y-axis in the chart:
customEvents
| extend Properties = todynamic(tostring(customDimensions.Properties))
| extend duration = todouble(todecimal(Properties.duration))
| project timestamp, name, duration
I want to declare and initialize integer variable in Decision Table. I created a sample rule in .drl file. It's working fine but i want that rule in drool spreadsheet. Anybody know How to do it?
Sample Rule code.
rule "GoodBye1"
salience 5
when
a : Message(count == 45)
then
System.out.println("-----------------");
int temp = a.getTemplatesFromDba("123");
System.out.println("-Raj--> "+temp);
a.setPriority(temp);
update(a);
end
You'll have to write it in to the Action part of your decision table. Here's one way to do it with a decision table. What suites best for your needs requires a bit more info on the details.
Condition | Action
a : Message |
$param | a.setPrio( a.getTemplate( $param) ); update(a);
--------------------------
count == 45 | "123"
If you need, you can add the System.out.prinln calls in the Action block as well. If you have a lot of operations to execute, it might be better to create a helper function for that.