I have a lot of data looking like
{"tuesday":"<30, 60>"}
{"friday":"<0, 5>"}
{"saturday":"<5, 10>"}
{"friday":"<0, 5>"}
{"saturday":"<5, 10>"}
{"sunday":"0"}
{"monday":"<0, 5>"}
All i want is the value regardless of the key.
My query:
customEvents
| where name == "eventName"
| extend d = parse_json(tostring(customDimensions.['Properties']))
| project d
| take 7
d is a dynamic object and I can do d.monday for the value, but I'd like to get the value without the key. Is this possible with Kusto?
Thanks
for the case of a single-property as you've demonstrated above, using the parse operator could work:
datatable(d:dynamic)
[
,dynamic({"tuesday":"<30, 60>"})
,dynamic({"friday":"<0, 5>"})
,dynamic({"saturday":"<5, 10>"})
,dynamic({"friday":"<0, 5>"})
,dynamic({"saturday":"<5, 10>"})
,dynamic({"sunday":"0"})
,dynamic({"monday":"<0, 5>"})
]
| parse d with * ':"' value '"' *
| project value
Notes:
In case your values are not necessarily encapsulated in double quotes (e.g. are numerics), then you should be able to specify kind=regex for the parse operator, and use a conditional expression for the existence of the double quotes.
In case you have potentially more than 1 property per property bag, using extract_all() is an option.
Relevant Docs:
https://learn.microsoft.com/en-us/azure/kusto/query/parseoperator
https://learn.microsoft.com/en-us/azure/kusto/query/extractallfunction
Related
| extend CommandTimeStamp = tostring(customDimensions['CommandTimeStamp'])
| extend originalValue = CommandTimeStamp
| extend constantValue = "11/16/2021 6:04:17 AM +00:00"
| project originalValue, constantValue, equals = (CommandTimeStamp == constantValue), originalTime = CommandTimeStamp, timeColum1 = todatetime(constantValue), timeColum2 = todatetime(CommandTimeStamp)
Get Result:
The last column is empty. It is strange.
Can someone explain it? It blocks us a lot.
the list of supported datetime formats is available here: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/scalar-data-types/datetime
the format you're using isn't included in that list, and you may want to first manipulate it in the origin, or using query functions, prior to casting it using todatetime()
the fact that casting the constant string literal works is because it's handled in a separate code path, that (currently) happens to support undocumented formats.
I am not getting any output if I am doing this.
mac_address=abcd
output=net_connect.send_command('show mac-address-table | inc mac_address')
print("Output of the switch ",output)
I am getting the desired output if I am doing this.
output=net_connect.send_command('show mac-address-table | inc abcd')
print("Output of the switch ",output)
What should I make change in the code so that I can use variable?
The closing quote in the first example is after mac_address, making that literal text, not a variable. I'm not sure how you append two strings, but something like:
output=net_connect.send_command('show mac-address-table | inc '+mac_address)
where the + is appending the literal string and the variable string.
I am looking to filter a JSON stream based on its keys. Here is the public JSON file:
https://s3.amazonaws.com/okta-ip-ranges/ip_ranges.json that I am trying to wrangle. When I filter this for keys jq 'keys', I get the following output
[
"apac_cell_1",
"emea_cell_1",
"emea_cell_2",
"preview_cell_1",
"preview_cell_2",
"preview_cell_3",
"us_cell_1",
"us_cell_10",
"us_cell_11",
"us_cell_12",
"us_cell_2",
"us_cell_3",
"us_cell_4",
"us_cell_5",
"us_cell_6",
"us_cell_7"
]
I am trying to get all the ip_ranges associated with the keys starting with "us_cell_*" and I have not found a way to do it. Most of the filtering seems to be focused on the values and not the keys.
You can use the following :
to_entries | map(select(.key | startswith("us_cell_")) | .value.ip_ranges) | add
Try it here.
to_entries maps the root object into an array of objects with key and value fields corresponding to the fields of the original object.
We filter that to retain only those which have a key starting with "us_cell_", map it further to keep only the ip ranges and finally merge those arrays together.
For my company I need to extract data from Azure Application Insights.
All the relevant data is stored in the customMeasurements. Currently, the table looks something like this:
name | itemType | customMeasurements
-----------------------------------------------------------
AppName | customEvent | {
Feature1:1,
Feature2:0,
Feature3:0
}
-----------------------------------------------------------
AppName | customEvent | {
Feature1:0,
Feature2:1,
Feature3:0
}
I'm trying to find a Kusto query which will aggregate all enabled features (which would have a value of '1'), but I'm unable to do so.
I tried several things to get this resolved like the following:
customEvents
| extend test = tostring(customMeasurements.["Feature2"])
| summarize count() by test
This actually showed me the number rows that have Feature2 set to '1' but I want to be able to extract all features that have been enabled without specifying them in the query (as they can have custom names).
Could somebody point me in the right direction please
perhaps, something like the following could give you a direction:
datatable(name:string, itemType:string, customMeasurements:dynamic)
[
'AppName', 'customEvent', dynamic({"Feature1":1,"Feature2":0,"Feature3":0}),
'AppName', 'customEvent', dynamic({"Feature1":0,"Feature2":1,"Feature3":0}),
]
| mv-apply customMeasurements on
(
extend feature = tostring(bag_keys(customMeasurements)[0])
| where customMeasurements[feature] == 1
)
| summarize enabled_features = make_set(feature) by name
I have some data in Application Insights Analytics that has a dynamic object as a property of custom dimensions. For example:
| timestamp | name | customDimensions | etc |
|-------------------------|---------|----------------------------------|-----|
| 2017-09-11T19:56:20.000 | Spinner | { | ... |
MyCustomDimension: "hi"
Properties:
context: "ABC"
userMessage: "Some other"
}
Does that make sense? So a key/value pair inside of customDimensions.
I'm trying to bring up the context property to be a proper column in the results. So expected would be :
| timestamp | name | customDimensions | context| etc |
|-------------------------|---------|----------------------------------|--------|-----|
| 2017-09-11T19:56:20.000 | Spinner | { | ABC | ...
MyCustomDimension: "hi"
Properties:
context: "ABC"
userMessage: "Some other"
}
I've tried this:
customEvents | where name == "Spinner" | extend Context = customDimensions.Properties["context"]
and this:
customEvents | where name == "Spinner" | extend Context = customDimensions.Properties.context
but neither seem to work. They give me a column at the end named "Context" but the column is empty - no values.
Any ideas?
EDIT:
Added a picture for clarifying the format of the data:
edited to working answer:
customEvents
| where name == "Spinner"
| extend Properties = todynamic(tostring(customDimensions.Properties))
| extend Context = Properties.context
you need an extra tostring and todynamic in here to get what you expect (and what i expected!)
the explanation i was given:
Dynamic field "promises" you the upper/outer level of key / value access (this is how you access customDimensions.Properties).
Accessing internal structure of that json depends on the exact format of customDimensions.Properties content. It doesn’t have to be json by itself. Even if it looks like a well structured json, it still may be just a string that is not exactly well formatted json.
So basically, it by default won't attempt to parse strings inside of a dynamic/json block because they don't want to spend a lot of time possibly trying and failing to convert nested content to json infinitely.
I still think that extra tostring shouldn't be required inside there, since todynamic should already be allowing both string and dynamic in validly, so i'm checking to see if the team that owns the query stuff can make that step better.
Thanks sooo much.. just to expand on the answer from John. We needed to graph duration of end-points using custom events. This query made it so we could specify the duration as our Y-axis in the chart:
customEvents
| extend Properties = todynamic(tostring(customDimensions.Properties))
| extend duration = todouble(todecimal(Properties.duration))
| project timestamp, name, duration