如何在字段为动态时读取 Kusto 查询中的 JSON 字段
How to read JSON field in Kusto query when fields are dynamic
我正在处理以下查询产生的 JSON 数据(如下)。
SignInLogs
| project AddtionalDetails
结果
[{"value":"test.com","key":"TenantId"},{"value":"PC100921","key":"PolicyId"},{"value":"f4525425-60ff-42a7-acf4-f88c4266431f","key":"ApplicationId"},{"value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36","key":"Client"},{"value":"SMS","key":"VerificationMethod"},{"value":"+1232123211","key":"PhoneNumber"},{"value":"e000::5890, 128.1.1.1","key":"ClientIpAddress"},{"value":"https://test.com","key":"DomainName"}]
我想访问特定的文件,例如PolicyId,使用查询 SignInLogs | Policy=extractjson("$.[1].value", tostring(AdditionalDetails)) | project Policy 。但是,由于不能保证字段的顺序及其存在,因此不能始终使用 [1] 作为索引。
是否有更好的方法来访问未承诺订购和可用性的 JSON 字段?与其他语言一样,您可以检查空引用并通过键名访问。
是这样的吗?
let T =datatable(AdditionalDetails:dynamic )[dynamic([{"value":"test.com","key":"TenantId"},{"value":"PC100921","key":"PolicyId"},{"value":"f4525425-60ff-42a7-acf4-f88c4266431f","key":"ApplicationId"},{"value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36","key":"Client"},{"value":"SMS","key":"VerificationMethod"},{"value":"+1232123211","key":"PhoneNumber"},{"value":"e000::5890, 128.1.1.1","key":"ClientIpAddress"},{"value":"https://test.com","key":"DomainName"}])];
T
| mv-apply AdditionalDetails on (
extend IP = iif(AdditionalDetails.key=="ClientIpAddress", tostring(AdditionalDetails.value), ""),
PolicyId = iif(AdditionalDetails.key=="PolicyId", tostring(AdditionalDetails.value), "")
| where isnotempty(IP) or isnotempty( PolicyId)
| summarize take_any(IP), take_any(PolicyId)
)
IP
PolicyId
e000::5890, 128.1.1.1
PC100921
我正在处理以下查询产生的 JSON 数据(如下)。
SignInLogs
| project AddtionalDetails
结果
[{"value":"test.com","key":"TenantId"},{"value":"PC100921","key":"PolicyId"},{"value":"f4525425-60ff-42a7-acf4-f88c4266431f","key":"ApplicationId"},{"value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36","key":"Client"},{"value":"SMS","key":"VerificationMethod"},{"value":"+1232123211","key":"PhoneNumber"},{"value":"e000::5890, 128.1.1.1","key":"ClientIpAddress"},{"value":"https://test.com","key":"DomainName"}]
我想访问特定的文件,例如PolicyId,使用查询 SignInLogs | Policy=extractjson("$.[1].value", tostring(AdditionalDetails)) | project Policy 。但是,由于不能保证字段的顺序及其存在,因此不能始终使用 [1] 作为索引。
是否有更好的方法来访问未承诺订购和可用性的 JSON 字段?与其他语言一样,您可以检查空引用并通过键名访问。
是这样的吗?
let T =datatable(AdditionalDetails:dynamic )[dynamic([{"value":"test.com","key":"TenantId"},{"value":"PC100921","key":"PolicyId"},{"value":"f4525425-60ff-42a7-acf4-f88c4266431f","key":"ApplicationId"},{"value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36","key":"Client"},{"value":"SMS","key":"VerificationMethod"},{"value":"+1232123211","key":"PhoneNumber"},{"value":"e000::5890, 128.1.1.1","key":"ClientIpAddress"},{"value":"https://test.com","key":"DomainName"}])];
T
| mv-apply AdditionalDetails on (
extend IP = iif(AdditionalDetails.key=="ClientIpAddress", tostring(AdditionalDetails.value), ""),
PolicyId = iif(AdditionalDetails.key=="PolicyId", tostring(AdditionalDetails.value), "")
| where isnotempty(IP) or isnotempty( PolicyId)
| summarize take_any(IP), take_any(PolicyId)
)
| IP | PolicyId |
|---|---|
| e000::5890, 128.1.1.1 | PC100921 |