如何在具有多层的 kusto/data 资源管理器中扩展 JSON 数据?

How to i expand JSON data in kusto/data explorer that has multiple layers?

我正在尝试根据这篇 Microsoft 文章将 JSON 数组数据(特别是 'Objects' 数组)提取到 Azure 数据资源管理器中。 (仅 JSON 数组部分)

https://docs.microsoft.com/en-us/azure/data-explorer/ingest-json-formats?tabs=kusto-query-language&source=docs#ingest-json-records-containing-arrays

我的 JSON 数据与示例不同,因为它在 JSON 中有一个附加层,当将原始事件行扩展到第二个 table 时,输入的行是空白的。我假设该函数无法使用 kusto 函数找到 'Objects'?

.create function EventRecordsExpand() {
    rawhsievents
    | mv-expand Objects = Event
    | project
        AlarmState = tostring(Objects["AlarmState"]),
        AreaOfInterest = tostring(Objects["AreaOfInterest"]),
        Category = tostring(Objects["Category"]),
        EncodedMessage = tostring(Objects["EncodedMessage"]),
        Fullname = tostring(Objects["Fullname"]),
        Id = tolong(Objects["Id"]),
        Message = tostring(Objects["Message"]),
        ReceiptTime = todatetime(Objects["ReceiptTime"]),
        RecordTime = todatetime(Objects["RecordTime"]),
        Severity = tostring(Objects["Severity"]),
        User = tostring(Objects["User"])
}

我的 JSON 数据示例如下:

{
    "ExportedEvents": {
        "Header": {
            "SystemName": "Mids",
            "StartDate": "2020-11-03T12:28:00.55Z",
            "EndDate": "2020-11-03T12:28:11.521Z"
        },
        "Objects": [{
                "AlarmState": "",
                "AreaOfInterest": "",
                "Category": "Action",
                "EncodedMessage": "Kernel,469,M(Lib,101,S\"RequestExportXML\")",
                "Fullname": "System Resources.XML Interface.Support Processes.Batch Scheduler.Batch Schedule Scanner",
                "Id": 456020,
                "Message": "RequestExportXML request rejected - Invalid configuration",
                "ReceiptTime": "2020-11-03T12:28:00.55Z",
                "RecordTime": "2020-11-03T12:28:00.55Z",
                "Severity": "Low",
                "User": "Schedule"
            },
            {
                "AlarmState": "",
                "AreaOfInterest": "",
                "Category": "Action",
                "EncodedMessage": "Kernel,469,M(Lib,101,S\"RequestExportXML\")",
                "Fullname": "System Resources.XML Interface.Support Processes.Batch Scheduler.Batch Schedule Scanner",
                "Id": 456020,
                "Message": "RequestExportXML request rejected - Invalid configuration",
                "ReceiptTime": "2020-11-03T12:28:00.551Z",
                "RecordTime": "2020-11-03T12:28:00.551Z",
                "Severity": "Low",
                "User": "Schedule"
            }
        ]
    }
}

我是否需要第二个 mv-expand 来将数据扩展两次?

您似乎 mv-expand 使用了错误的动态对象,您需要先访问 ExportedEvents.Objects

例如:

datatable(Event:dynamic)
[
    dynamic({
        "ExportedEvents": {
            "Header": {
                "SystemName": "Mids",
                "StartDate": "2020-11-03T12:28:00.55Z",
                "EndDate": "2020-11-03T12:28:11.521Z"
            },
            "Objects": [{
                    "AlarmState": "",
                    "AreaOfInterest": "",
                    "Category": "Action",
                    "EncodedMessage": "Kernel,469,M(Lib,101,S\"RequestExportXML\")",
                    "Fullname": "System Resources.XML Interface.Support Processes.Batch Scheduler.Batch Schedule Scanner",
                    "Id": 456020,
                    "Message": "RequestExportXML request rejected - Invalid configuration",
                    "ReceiptTime": "2020-11-03T12:28:00.55Z",
                    "RecordTime": "2020-11-03T12:28:00.55Z",
                    "Severity": "Low",
                    "User": "Schedule"
                },
                {
                    "AlarmState": "",
                    "AreaOfInterest": "",
                    "Category": "Action",
                    "EncodedMessage": "Kernel,469,M(Lib,101,S\"RequestExportXML\")",
                    "Fullname": "System Resources.XML Interface.Support Processes.Batch Scheduler.Batch Schedule Scanner",
                    "Id": 456020,
                    "Message": "RequestExportXML request rejected - Invalid configuration",
                    "ReceiptTime": "2020-11-03T12:28:00.551Z",
                    "RecordTime": "2020-11-03T12:28:00.551Z",
                    "Severity": "Low",
                    "User": "Schedule"
                }
            ]
        }
    })
]
| mv-expand Objects = Event.ExportedEvents.Objects
| project
        AlarmState = tostring(Objects["AlarmState"]),
        AreaOfInterest = tostring(Objects["AreaOfInterest"]),
        Category = tostring(Objects["Category"]),
        EncodedMessage = tostring(Objects["EncodedMessage"]),
        Fullname = tostring(Objects["Fullname"]),
        Id = tolong(Objects["Id"]),
        Message = tostring(Objects["Message"]),
        ReceiptTime = todatetime(Objects["ReceiptTime"]),
        RecordTime = todatetime(Objects["RecordTime"]),
        Severity = tostring(Objects["Severity"]),
        User = tostring(Objects["User"])

returns:

| AlarmState | AreaOfInterest | Category | EncodedMessage                            | Fullname                                                                                | Id     | Message                                                   | ReceiptTime                 | RecordTime                  | Severity | User     |
|------------|----------------|----------|-------------------------------------------|-----------------------------------------------------------------------------------------|--------|-----------------------------------------------------------|-----------------------------|-----------------------------|----------|----------|
|            |                | Action   | Kernel,469,M(Lib,101,S"RequestExportXML") | System Resources.XML Interface.Support Processes.Batch Scheduler.Batch Schedule Scanner | 456020 | RequestExportXML request rejected - Invalid configuration | 2020-11-03 12:28:00.5500000 | 2020-11-03 12:28:00.5500000 | Low      | Schedule |
|            |                | Action   | Kernel,469,M(Lib,101,S"RequestExportXML") | System Resources.XML Interface.Support Processes.Batch Scheduler.Batch Schedule Scanner | 456020 | RequestExportXML request rejected - Invalid configuration | 2020-11-03 12:28:00.5510000 | 2020-11-03 12:28:00.5510000 | Low      | Schedule |