I would like to use the variable settingName for the dynamic json property. How can i accomplish that?
let settingName = 'LaunchNext';
DSEvents
| where Timestamp > ago(1d) and Data contains (settingName)
| summarize count() by tostring(parsejson(tostring(Data.Settings)).LaunchNext.value)
I want to substitute the variable instead of the actual property
parsejson(tostring(Data.Settings)).LaunchNext.value
Enclosing the variable in [] worked for me
tostring(parsejson(tostring(Data.Settings)).[settingName].value)
Related
This is my datatable:
datatable(Id:dynamic)
[
dynamic([987654321][Just Kusto Things]),
]
and I've extracted 1 field from a json using
| project ID=parse_json(Data).["CustomValue"]
And the result is something like - [987654321][Just Kusto Things]. I wanted to extract the numbered value(987654321) within the 1st square brackets. How to best retrieve that value? Using split/parse/extract?
the datatable in the sample is not valid. If the values are just an array then you can get the results by using the array position like this:
datatable(Id:dynamic)
[
dynamic([987654321,"Just Kusto Things"]),
]
| extend Id = Id[0]
If it is something else, please provide a valid datatable with an example that is representative of the real data.
the result is something like - [987654321][Just Kusto Things]. I wanted to extract the numbered value(987654321) within the 1st square brackets. How to best retrieve that value?
you can use the parse operator
For example:
print input = '[987654321][Just Kusto Things]'
| parse input with '[' output:long ']' *
pack_all() function considers all the input columns while making a dynamic object. Is it possible to somehow force it to consider only non-empty & non-null columns? If not, is there any workaround to apply filter on top of the resulting dynamic value?
There is no flavor of pack_all that will do it, but as an alternative, you can combine mv-apply and mv-expand operators to achieve this. Here is an example (adapted from the docs):
datatable(SourceNumber:string,TargetNumber:string,CharsCount:long)
[
'555-555-1234','555-555-1212',46,
'555-555-1234','555-555-1213',50,
'555-555-1212','',int(null)
]
| extend values =pack_all()
| mv-apply removeProperties = values on
(
mv-expand kind = array values
| where isempty(values[1])
| summarize propsToRemove = make_set(values[0])
)
| extend values = bag_remove_keys(values, propsToRemove)
| project-away propsToRemove
It should be added as a new answer, that pack_all() did in the meantime get a new option to exclude null/empty values
pack_all([ignore_null_empty])
ignore_null_empty: An optional bool indicating whether to
ignore null/empty columns and exclude them from the resulting property
bag. Default: false.
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/packallfunction
I have a JSON property bag being received as an update to configuration. I would like to retrieve the existing latest property bag from the table, manipulate it to remove the keys that are being updated using the bag_remove_keys and bag_merge operators.
This is being used in an update policy, so I have the new property bag in an extend from the input data, I need to perform a new extend to retrieve the current latest property set existing in the table.
Something similar to the below:
rawhsimessages
//Get #RecType
| extend ParsedMessage = parse_json(Message)
| extend Objects = ParsedMessage["ExportedConfig"]["Objects"]
| parse Objects with "[" Objects "]"
| extend Properties = parse_json(Objects)
| extend RecType = Properties["#RecType"]
| where RecType == "CHANGE"
| extend latestconfig = XXXX(GeoSCADAConfigurationTest | where Id == Properties["Id"] | summarize arg_max(ConfigTime, Properties)
| project-away Message, ParsedMessage, Objects
Can I replace the XXXX with anything that will allow me to do this?
If not, is there a better approach I can take?
I would like to dynamically name the calculated column, like this:
.create-or-alter function ToNewName(T:(Id:string), columnName: string)
{
T | extend columnName = Id
}
However, this create a new column called columnName instead. How do I make the second columnName link to the parameter?
There is no built in support for this in the language, however here is a possible workaround:
let foo = (p:string)
{
print z=pack(p, 1)
| evaluate bag_unpack(z)
};
foo('this is a run-time column name')
I have a database which uses JSON to store values.
CREATE TABLE JSON(name TEXT, value TEXT);
I am trying to convert this into a native format.
CREATE TABLE NATIVE(name TEXT, KEY1, KEY2, KEY3);
The JSON format looks like this:
[
{"key1":value1, "key2":value2, "key3":value3},
{"key1":value4, "key2":value5, "key3":value6},
....
]
For the above example, I am trying to come up with a query using INSERT INTO NATIVE (name, KEY1, KEY2, KEY3) SELECT <something> FROM JSON to produce this table:
+------+---------+--------+--------+
| TEXT | KEY1 | KEY2 | KEY3 |
+------+---------+--------+--------+
| TEXT | VALUE1 | VALUE2 | VALUE3 |
| TEXT | VALUE4 | VALUE5 | VALUE3 |
...
+------+---------+--------+--------+
I have been using JSON1 for other tables which use simple objects. So for instance when I have values which are objects and not arrays of objects I can use json_extract for each field.
For an array I think I am supposed to use json_each but I am having a hard time figuring out how to apply it to this specific problem.
I came up with this solution:
INSERT INTO NATIVE (name, key1, key2, key3)
SELECT name, json_extract(x.value, '$.key1')
, json_extract(x.value, '$.key2')
, json_extract(x.value, '$.key3')
FROM JSON, json_each(JSON.value) AS x;
The trick is that json_each when used in conjunction with the table containing JSON and a SELECT is returning rows in which there are fields called key and value which contain each key and value. It is then possible to call json_extract in the select to pick individual fields out, which can then be inserted into the new table.
We can try using the JSON_EXTRACT function from the json1 extension library, along with an INSERT INTO ... SELECT:
INSERT INTO NATIVE(name TEXT, KEY1, KEY2, KEY3)
SELECT
name,
JSON_EXTRACT(value, '$.key1'),
JSON_EXTRACT(value, '$.key2'),
JSON_EXTRACT(value, '$.key3')
FROM JSON;
This assumes that it is the value column in JSON which contains the raw JSON. If not, then replace value in the above query by whatever column contains the JSON content.