How do I convert the below Splunk query to Kusto Pls
| eval result=if(Match(Status,"Success|Passed"), "succeeded","failed")
I am trying with below in Kusto but it does not work
| extend result = case(Status matches regex ("Success", "Passed"), "succeeded", "failed")
Thanks.
You could try this:
T
| extend result = case(Status contains "Success" or Status contains "Passed", "succeeded", "failed")
If "Success" and "Passed" are known to be terms in the source data, you should replace "contains" with "has"; and id they're known to be the entire string, you can use "in()" or "in~()" instead.
See: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/datatypes-string-operators
Related
I kinda need help extracting a value from a string and dynamically add new row
Below is the string that I have in the column DBInfo.
[{"DBName":"master","TriggerName":"ramp_sqlpreventivetrigger_sqlserver_v01","TriggerStateDB":"Enabled"},{"DBName":"master","TriggerName":"No Trigger","TriggerStateDB":"No Trigger"}]
As you can see, we have two sets of data in above string. master database is coming twice so i need rows instead of one row.
Below is what I have so far.
I am using substring and trim for now to remove "]" and "[" from the string so that I can use parse_json function. I am not having any luck so far.
SQLTriggerViolations
| where TriggerStatus != "Enabled"
| where ServerName == 'ServerName'
| project ServerName, DBInfo
| extend DBInfoModified = substring(DBInfo, 1, strlen(DBInfo))
| extend DBInfoFinal = trim("]", DBInfoModified)
| extend DBName = parse_json(DBInfoFinal).TriggerName
you can use mv-expand: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/mvexpandoperator
for example:
datatable(DBInfo:string)
[
'[{"DBName":"master","TriggerName":"ramp_sqlpreventivetrigger_sqlserver_v01","TriggerStateDB":"Enabled"},{"DBName":"master","TriggerName":"No Trigger","TriggerStateDB":"No Trigger"}]'
]
| mv-expand parse_json(DBInfo)
DBInfo
{ "DBName": "master", "TriggerName": "ramp_sqlpreventivetrigger_sqlserver_v01", "TriggerStateDB": "Enabled"}
{ "DBName": "master", "TriggerName": "No Trigger", "TriggerStateDB": "No Trigger"}
Good day,
Attempting to check IPAddress from SiginLogs with a datatable. I am able to perform the Scalar function ipv4_is_in_range() with a single value. Ips are changed for privacy
ex:
ipv4_is_in_range(IPAddress, '127.0.0.255/24')
When I try to use a declared datatable it does not recognize the values and returns nothing.
ex:
let srcIPs = datatable (checkIP:string) ['127.0.0.1/24'];
SigninLogs
| union srcIPs
| where ipv4_is_in_range( IPAddress, checkIP)
or
let srcIPs = datatable (checkIP:string) [
'127.0.0.1/24',
'8.8.8.8',
'1.1.1.1/16'
];
SigninLogs
| union srcIPs
| where ipv4_is_in_range( IPAddress, checkIP)
if I replace the 'where' with 'extend' I will get one IP address that does show correctly but will include another IP address that is not within that range.
My question is how do I get the function to recognize the values from srcIPs correctly?
#Michael. I went a head a revisited that document and reattempted. The workspace still shows and error when I hover ipv4_lookup stating it is not defined. YET. It still ran, something I didn't attempt. Now the code looks like.
let IP_Data = datatable(network:string)
[
"127.0.0.1",
"8.8.8.8/24",
"192.168.0.1",
"10.0.240.255/21"
];
SigninLogs
| evaluate ipv4_lookup(IP_Data, IPAddress, network)
| where UserType == "Member"
| project-reorder IPAddress, UserPrincipalName
So this code got me what I was looking for. TY all for your assistance.
Answering my own question with working code for record.
I have a large file of records that contain fields that look something like this:
{
"id": "1000001",
"updatedDate": "2018-12-21T01:52:00Z",
"createdDate": "1993-11-30T02:59:25Z",
"varFields": [
{
"fieldTag": "b",
"content": "1000679727"
},
{
"fieldTag": "v",
"content": "v.1"
}
}
I need to extract the .content element along with other things, but only when the fieldTag associated with it is "v". Only some records contain a fieldTag "v".
When I try to parse using
(.varFields[] |select(.fieldTag=="v") | "\(.content)") // ""
it works fine so long as v is present. However, when it is not present, I get
jq: error (at <stdin>:353953): Cannot iterate over null (null)
I tried to get rid of the error with multiple variations, including things to the effect of
(select((.varFields[] |select(.fieldTag=="v") | .content) != null) | .varFields[] |select(.fieldTag=="v") | "\(.content)") // ""
but I'm still getting the same error. What am I missing?
Take a look at the error suppression operator ? that works a bit like the new ?. nullable chaining operator in Javascript.
The ? operator, used as EXP?, is shorthand for try EXP.
Example:
jq '[.[]|(.a)?]'
Input [{}, true, {"a":1}]
Output [null, 1]
They have a slightly simpler demonstrable example of this at https://jqplay.org/jq?q=%5B.%5B%5D%7C(.a)%3F%5D&j=%5B%7B%7D%2C%20true%2C%20%7B%22a%22%3A1%7D%5D and the try-catch operator is similar if all you need is custom error handling (or just error ignoring...).
I have a custom event with a json (string) property called EventInfo. Sometimes this property will be larger than the 150 character limit set on event properties, so I have to split it into multiple properties, ie EventInfo0, EventInfo1, ect.
For example (shortened for simplicity)
EventInfo0: [{ "label" : "likeButton", "stat],
EventInfo1: [us" : "success" }]
I found out how to look at EventInfo as a json in app insights like:
customEvents
| where name == "people"
| extend Properties = todynamic(tostring(customDimensions.Properties))
| extend type=parsejson(Properties.['EventInfo'])
| mvexpand type
| project type, type.label, type.status]
Is there a way I can concatenate EventInfo0 and EventInfo1 to create the full json string, and query that like above?
According to the documentation, the 150 character limit is on the key, and not on the entire payload. So splitting as you're doing it may not actually be required.
https://learn.microsoft.com/en-us/azure/azure-monitor/app/data-model-event-telemetry#custom-properties
that said, to answer your questions - while it's not efficient to do this at query time, the following could work:
datatable(ei0:string, ei1:string)
[
'[{ "label" : "likeButton", "stat]', '[us" : "success" }]',
'[{ "lab]', '[el" : "bar", "hello": "world" }]'
]
| project properties = parse_json(strcat(substring(ei0, 1, strlen(ei0) - 2), substring(ei1, 1, strlen(ei1) - 2)))
| project properties.label
properties_label
----------------
likeButton
bar
I assume title may be reserved word or similar but query below refuses to be parsed around c.title. Not sure what exactly the issue with query itself
AzureActivity
| where CategoryValue == "ResourceHealth" and ResourceProviderValue == "MICROSOFT.COMPUTE"
| where not (ResourceGroup startswith "DATABRICKS-RG")
| extend d=parse_json(Properties)
| extend c = parse_json(tostring(d.eventProperties))
| where c.cause == "PlatformInitiated" and not(c.title == "Live Migration")
Error shown
SYNTAX ERROR
Query could not be parsed at '.' on line [6,48]
Token: .
Line: 6
Position: 48
If issue persists, please open a support ticket.
Request id: 6a4d4bae-41f6-43b4-9657-55fc435acab9
as title is a reserved keyword in the language, you could replace c.title with c['title'].
see: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/scalar-data-types/dynamic#dynamic-object-accessors