在 Kusto QL 中解析数组 - 提取特定值
Parsing an array in Kusto QL - extracting a specific value
我正在尝试解析来自 LoggedOnUsers 列的数据并提取 'UserName' 字段的值。我的查询结果是一个空字段。
DeviceInfo | extend field=todynamic(LoggedOnUsers) | project user=field.UserName, LoggedOnUsers | top 1 by LoggedOnUsers
Results
谢谢
您的 LoggedOnUsers 值是对象的 数组 ,因此要提取 UserName 您需要先提取数组中的第一项,例如这个:
let DeviceInfo = datatable(LoggedOnUsers:dynamic) [
dynamic([{"UserName":"gospodarz","DomainName":"VTEST2-PG","Sid":"S-1-5-21-1814037467-..."}])
];
DeviceInfo
| extend user = tostring(LoggedOnUsers[0].UserName)
结果:
LoggedOnUsers
user
[
{
"UserName": "gospodarz",
"DomainName": "VTEST2-PG",
"Sid": "S-1-5-21-1814037467-..."
}
]
gospodarz
如果数组可能包含多个条目(并且都具有相同的结构),那么您必须先使用 mv-expand:
let DeviceInfo = datatable(LoggedOnUsers:dynamic) [
dynamic([{"UserName":"gospodarz","DomainName":"VTEST2-PG","Sid":"S-1-5-21-1814037467-..."},
{"UserName":"another_user","DomainName":"VTEST2-PG","Sid":"S-1-5-21-1814037467-..."}])
];
DeviceInfo
| mv-expand LoggedOnUsers
| extend user = tostring(LoggedOnUsers.UserName)
结果:
LoggedOnUsers
user
{
"UserName": "gospodarz",
"DomainName": "VTEST2-PG",
"Sid": "S-1-5-21-1814037467-..."
}
gospodarz
{
"UserName": "another_user",
"DomainName": "VTEST2-PG",
"Sid": "S-1-5-21-1814037467-..."
}
another_user
此外,您似乎想通过使用 top 获取出现次数最多的用户名,但是您正试图在动态列上 运行 top,这是无效的。相反,您首先需要计算每个用户名出现的次数,然后对这个数字应用 top。这就是你的做法:
let DeviceInfo = datatable(LoggedOnUsers:dynamic) [
dynamic([{"UserName":"gospodarz","DomainName":"VTEST2-PG","Sid":"S-1-5-21-1814037467-..."},
{"UserName":"another_user","DomainName":"VTEST2-PG","Sid":"S-1-5-21-1814037467-..."},
{"UserName":"another_user","DomainName":"VTEST2-PG","Sid":"S-1-5-21-1814037467-..."}])
];
DeviceInfo
| mv-expand LoggedOnUsers
| extend user = tostring(LoggedOnUsers.UserName)
| summarize count() by user
| top 1 by count_
结果:
user
count_
another_user
2
我正在尝试解析来自 LoggedOnUsers 列的数据并提取 'UserName' 字段的值。我的查询结果是一个空字段。
DeviceInfo | extend field=todynamic(LoggedOnUsers) | project user=field.UserName, LoggedOnUsers | top 1 by LoggedOnUsers
Results
谢谢
您的 LoggedOnUsers 值是对象的 数组 ,因此要提取 UserName 您需要先提取数组中的第一项,例如这个:
let DeviceInfo = datatable(LoggedOnUsers:dynamic) [
dynamic([{"UserName":"gospodarz","DomainName":"VTEST2-PG","Sid":"S-1-5-21-1814037467-..."}])
];
DeviceInfo
| extend user = tostring(LoggedOnUsers[0].UserName)
结果:
| LoggedOnUsers | user |
|---|---|
| [ { "UserName": "gospodarz", "DomainName": "VTEST2-PG", "Sid": "S-1-5-21-1814037467-..." } ] |
gospodarz |
如果数组可能包含多个条目(并且都具有相同的结构),那么您必须先使用 mv-expand:
let DeviceInfo = datatable(LoggedOnUsers:dynamic) [
dynamic([{"UserName":"gospodarz","DomainName":"VTEST2-PG","Sid":"S-1-5-21-1814037467-..."},
{"UserName":"another_user","DomainName":"VTEST2-PG","Sid":"S-1-5-21-1814037467-..."}])
];
DeviceInfo
| mv-expand LoggedOnUsers
| extend user = tostring(LoggedOnUsers.UserName)
结果:
| LoggedOnUsers | user |
|---|---|
| { "UserName": "gospodarz", "DomainName": "VTEST2-PG", "Sid": "S-1-5-21-1814037467-..." } |
gospodarz |
| { "UserName": "another_user", "DomainName": "VTEST2-PG", "Sid": "S-1-5-21-1814037467-..." } |
another_user |
此外,您似乎想通过使用 top 获取出现次数最多的用户名,但是您正试图在动态列上 运行 top,这是无效的。相反,您首先需要计算每个用户名出现的次数,然后对这个数字应用 top。这就是你的做法:
let DeviceInfo = datatable(LoggedOnUsers:dynamic) [
dynamic([{"UserName":"gospodarz","DomainName":"VTEST2-PG","Sid":"S-1-5-21-1814037467-..."},
{"UserName":"another_user","DomainName":"VTEST2-PG","Sid":"S-1-5-21-1814037467-..."},
{"UserName":"another_user","DomainName":"VTEST2-PG","Sid":"S-1-5-21-1814037467-..."}])
];
DeviceInfo
| mv-expand LoggedOnUsers
| extend user = tostring(LoggedOnUsers.UserName)
| summarize count() by user
| top 1 by count_
结果:
| user | count_ |
|---|---|
| another_user | 2 |