如何在具有多层的 kusto/data 资源管理器中扩展 JSON 数据?
How to i expand JSON data in kusto/data explorer that has multiple layers?
我正在尝试根据这篇 Microsoft 文章将 JSON 数组数据(特别是 'Objects' 数组)提取到 Azure 数据资源管理器中。 (仅 JSON 数组部分)
我的 JSON 数据与示例不同,因为它在 JSON 中有一个附加层,当将原始事件行扩展到第二个 table 时,输入的行是空白的。我假设该函数无法使用 kusto 函数找到 'Objects'?
.create function EventRecordsExpand() {
rawhsievents
| mv-expand Objects = Event
| project
AlarmState = tostring(Objects["AlarmState"]),
AreaOfInterest = tostring(Objects["AreaOfInterest"]),
Category = tostring(Objects["Category"]),
EncodedMessage = tostring(Objects["EncodedMessage"]),
Fullname = tostring(Objects["Fullname"]),
Id = tolong(Objects["Id"]),
Message = tostring(Objects["Message"]),
ReceiptTime = todatetime(Objects["ReceiptTime"]),
RecordTime = todatetime(Objects["RecordTime"]),
Severity = tostring(Objects["Severity"]),
User = tostring(Objects["User"])
}
我的 JSON 数据示例如下:
{
"ExportedEvents": {
"Header": {
"SystemName": "Mids",
"StartDate": "2020-11-03T12:28:00.55Z",
"EndDate": "2020-11-03T12:28:11.521Z"
},
"Objects": [{
"AlarmState": "",
"AreaOfInterest": "",
"Category": "Action",
"EncodedMessage": "Kernel,469,M(Lib,101,S\"RequestExportXML\")",
"Fullname": "System Resources.XML Interface.Support Processes.Batch Scheduler.Batch Schedule Scanner",
"Id": 456020,
"Message": "RequestExportXML request rejected - Invalid configuration",
"ReceiptTime": "2020-11-03T12:28:00.55Z",
"RecordTime": "2020-11-03T12:28:00.55Z",
"Severity": "Low",
"User": "Schedule"
},
{
"AlarmState": "",
"AreaOfInterest": "",
"Category": "Action",
"EncodedMessage": "Kernel,469,M(Lib,101,S\"RequestExportXML\")",
"Fullname": "System Resources.XML Interface.Support Processes.Batch Scheduler.Batch Schedule Scanner",
"Id": 456020,
"Message": "RequestExportXML request rejected - Invalid configuration",
"ReceiptTime": "2020-11-03T12:28:00.551Z",
"RecordTime": "2020-11-03T12:28:00.551Z",
"Severity": "Low",
"User": "Schedule"
}
]
}
}
我是否需要第二个 mv-expand 来将数据扩展两次?
您似乎 mv-expand
使用了错误的动态对象,您需要先访问 ExportedEvents.Objects
。
例如:
datatable(Event:dynamic)
[
dynamic({
"ExportedEvents": {
"Header": {
"SystemName": "Mids",
"StartDate": "2020-11-03T12:28:00.55Z",
"EndDate": "2020-11-03T12:28:11.521Z"
},
"Objects": [{
"AlarmState": "",
"AreaOfInterest": "",
"Category": "Action",
"EncodedMessage": "Kernel,469,M(Lib,101,S\"RequestExportXML\")",
"Fullname": "System Resources.XML Interface.Support Processes.Batch Scheduler.Batch Schedule Scanner",
"Id": 456020,
"Message": "RequestExportXML request rejected - Invalid configuration",
"ReceiptTime": "2020-11-03T12:28:00.55Z",
"RecordTime": "2020-11-03T12:28:00.55Z",
"Severity": "Low",
"User": "Schedule"
},
{
"AlarmState": "",
"AreaOfInterest": "",
"Category": "Action",
"EncodedMessage": "Kernel,469,M(Lib,101,S\"RequestExportXML\")",
"Fullname": "System Resources.XML Interface.Support Processes.Batch Scheduler.Batch Schedule Scanner",
"Id": 456020,
"Message": "RequestExportXML request rejected - Invalid configuration",
"ReceiptTime": "2020-11-03T12:28:00.551Z",
"RecordTime": "2020-11-03T12:28:00.551Z",
"Severity": "Low",
"User": "Schedule"
}
]
}
})
]
| mv-expand Objects = Event.ExportedEvents.Objects
| project
AlarmState = tostring(Objects["AlarmState"]),
AreaOfInterest = tostring(Objects["AreaOfInterest"]),
Category = tostring(Objects["Category"]),
EncodedMessage = tostring(Objects["EncodedMessage"]),
Fullname = tostring(Objects["Fullname"]),
Id = tolong(Objects["Id"]),
Message = tostring(Objects["Message"]),
ReceiptTime = todatetime(Objects["ReceiptTime"]),
RecordTime = todatetime(Objects["RecordTime"]),
Severity = tostring(Objects["Severity"]),
User = tostring(Objects["User"])
returns:
| AlarmState | AreaOfInterest | Category | EncodedMessage | Fullname | Id | Message | ReceiptTime | RecordTime | Severity | User |
|------------|----------------|----------|-------------------------------------------|-----------------------------------------------------------------------------------------|--------|-----------------------------------------------------------|-----------------------------|-----------------------------|----------|----------|
| | | Action | Kernel,469,M(Lib,101,S"RequestExportXML") | System Resources.XML Interface.Support Processes.Batch Scheduler.Batch Schedule Scanner | 456020 | RequestExportXML request rejected - Invalid configuration | 2020-11-03 12:28:00.5500000 | 2020-11-03 12:28:00.5500000 | Low | Schedule |
| | | Action | Kernel,469,M(Lib,101,S"RequestExportXML") | System Resources.XML Interface.Support Processes.Batch Scheduler.Batch Schedule Scanner | 456020 | RequestExportXML request rejected - Invalid configuration | 2020-11-03 12:28:00.5510000 | 2020-11-03 12:28:00.5510000 | Low | Schedule |
我正在尝试根据这篇 Microsoft 文章将 JSON 数组数据(特别是 'Objects' 数组)提取到 Azure 数据资源管理器中。 (仅 JSON 数组部分)
我的 JSON 数据与示例不同,因为它在 JSON 中有一个附加层,当将原始事件行扩展到第二个 table 时,输入的行是空白的。我假设该函数无法使用 kusto 函数找到 'Objects'?
.create function EventRecordsExpand() {
rawhsievents
| mv-expand Objects = Event
| project
AlarmState = tostring(Objects["AlarmState"]),
AreaOfInterest = tostring(Objects["AreaOfInterest"]),
Category = tostring(Objects["Category"]),
EncodedMessage = tostring(Objects["EncodedMessage"]),
Fullname = tostring(Objects["Fullname"]),
Id = tolong(Objects["Id"]),
Message = tostring(Objects["Message"]),
ReceiptTime = todatetime(Objects["ReceiptTime"]),
RecordTime = todatetime(Objects["RecordTime"]),
Severity = tostring(Objects["Severity"]),
User = tostring(Objects["User"])
}
我的 JSON 数据示例如下:
{
"ExportedEvents": {
"Header": {
"SystemName": "Mids",
"StartDate": "2020-11-03T12:28:00.55Z",
"EndDate": "2020-11-03T12:28:11.521Z"
},
"Objects": [{
"AlarmState": "",
"AreaOfInterest": "",
"Category": "Action",
"EncodedMessage": "Kernel,469,M(Lib,101,S\"RequestExportXML\")",
"Fullname": "System Resources.XML Interface.Support Processes.Batch Scheduler.Batch Schedule Scanner",
"Id": 456020,
"Message": "RequestExportXML request rejected - Invalid configuration",
"ReceiptTime": "2020-11-03T12:28:00.55Z",
"RecordTime": "2020-11-03T12:28:00.55Z",
"Severity": "Low",
"User": "Schedule"
},
{
"AlarmState": "",
"AreaOfInterest": "",
"Category": "Action",
"EncodedMessage": "Kernel,469,M(Lib,101,S\"RequestExportXML\")",
"Fullname": "System Resources.XML Interface.Support Processes.Batch Scheduler.Batch Schedule Scanner",
"Id": 456020,
"Message": "RequestExportXML request rejected - Invalid configuration",
"ReceiptTime": "2020-11-03T12:28:00.551Z",
"RecordTime": "2020-11-03T12:28:00.551Z",
"Severity": "Low",
"User": "Schedule"
}
]
}
}
我是否需要第二个 mv-expand 来将数据扩展两次?
您似乎 mv-expand
使用了错误的动态对象,您需要先访问 ExportedEvents.Objects
。
例如:
datatable(Event:dynamic)
[
dynamic({
"ExportedEvents": {
"Header": {
"SystemName": "Mids",
"StartDate": "2020-11-03T12:28:00.55Z",
"EndDate": "2020-11-03T12:28:11.521Z"
},
"Objects": [{
"AlarmState": "",
"AreaOfInterest": "",
"Category": "Action",
"EncodedMessage": "Kernel,469,M(Lib,101,S\"RequestExportXML\")",
"Fullname": "System Resources.XML Interface.Support Processes.Batch Scheduler.Batch Schedule Scanner",
"Id": 456020,
"Message": "RequestExportXML request rejected - Invalid configuration",
"ReceiptTime": "2020-11-03T12:28:00.55Z",
"RecordTime": "2020-11-03T12:28:00.55Z",
"Severity": "Low",
"User": "Schedule"
},
{
"AlarmState": "",
"AreaOfInterest": "",
"Category": "Action",
"EncodedMessage": "Kernel,469,M(Lib,101,S\"RequestExportXML\")",
"Fullname": "System Resources.XML Interface.Support Processes.Batch Scheduler.Batch Schedule Scanner",
"Id": 456020,
"Message": "RequestExportXML request rejected - Invalid configuration",
"ReceiptTime": "2020-11-03T12:28:00.551Z",
"RecordTime": "2020-11-03T12:28:00.551Z",
"Severity": "Low",
"User": "Schedule"
}
]
}
})
]
| mv-expand Objects = Event.ExportedEvents.Objects
| project
AlarmState = tostring(Objects["AlarmState"]),
AreaOfInterest = tostring(Objects["AreaOfInterest"]),
Category = tostring(Objects["Category"]),
EncodedMessage = tostring(Objects["EncodedMessage"]),
Fullname = tostring(Objects["Fullname"]),
Id = tolong(Objects["Id"]),
Message = tostring(Objects["Message"]),
ReceiptTime = todatetime(Objects["ReceiptTime"]),
RecordTime = todatetime(Objects["RecordTime"]),
Severity = tostring(Objects["Severity"]),
User = tostring(Objects["User"])
returns:
| AlarmState | AreaOfInterest | Category | EncodedMessage | Fullname | Id | Message | ReceiptTime | RecordTime | Severity | User |
|------------|----------------|----------|-------------------------------------------|-----------------------------------------------------------------------------------------|--------|-----------------------------------------------------------|-----------------------------|-----------------------------|----------|----------|
| | | Action | Kernel,469,M(Lib,101,S"RequestExportXML") | System Resources.XML Interface.Support Processes.Batch Scheduler.Batch Schedule Scanner | 456020 | RequestExportXML request rejected - Invalid configuration | 2020-11-03 12:28:00.5500000 | 2020-11-03 12:28:00.5500000 | Low | Schedule |
| | | Action | Kernel,469,M(Lib,101,S"RequestExportXML") | System Resources.XML Interface.Support Processes.Batch Scheduler.Batch Schedule Scanner | 456020 | RequestExportXML request rejected - Invalid configuration | 2020-11-03 12:28:00.5510000 | 2020-11-03 12:28:00.5510000 | Low | Schedule |