使用 KQL (Azure Data Explorer) 从 JSON 列中提取值
Extracting values from JSON column using KQL (Azure Data Explorer)
你能告诉我如何提取 category、enabled 和 categoryGroup 的值吗来自 KQL(Azure Data Explorer) 中的 JSON 列。
低于 JSON 的值正是我在名为“Logs”的列中看到的值。我看到列 Logs 在 table[=13 中定义为 string datatype =]
AzLogsCoverage
| extend Logs = case(isnull(Logs) or isempty(Logs), 'N/A', Logs)
| where Logs <> 'N/A'
| project Logs
| extend LogsCategory = parse_json(Logs).category
[
{
"category": "Administrative",
"enabled": true,
"categoryGroup": null
},
{
"category": "Security",
"enabled": false,
"categoryGroup": null
},
{
"category": "ServiceHealth",
"enabled": false,
"categoryGroup": null
},
{
"category": "Alert",
"enabled": false,
"categoryGroup": null
},
{
"category": "Recommendation",
"enabled": false,
"categoryGroup": null
},
{
"category": "Policy",
"enabled": false,
"categoryGroup": null
},
{
"category": "Autoscale",
"enabled": false,
"categoryGroup": null
},
{
"category": "ResourceHealth",
"enabled": false,
"categoryGroup": null
}
]
如果输入是 string 类型,您首先需要调用 parse_json() on it, to make it of type dynamic.
然后,您可以使用mv-expand/mv-apply扩展数组中的元素,然后您可以显式投影每个元素感兴趣的属性。
例如:
print input = ```[
{
"category": "Administrative",
"enabled": true,
"categoryGroup": null
},
{
"category": "Security",
"enabled": false,
"categoryGroup": null
},
{
"category": "ServiceHealth",
"enabled": false,
"categoryGroup": null
},
{
"category": "Alert",
"enabled": false,
"categoryGroup": null
},
{
"category": "Recommendation",
"enabled": false,
"categoryGroup": null
},
{
"category": "Policy",
"enabled": false,
"categoryGroup": null
},
{
"category": "Autoscale",
"enabled": false,
"categoryGroup": null
},
{
"category": "ResourceHealth",
"enabled": false,
"categoryGroup": null
}
]```
| extend d = parse_json(input)
| mv-apply d on (
project Category = tostring(d.category),
Enabled = tobool(d.enabled),
CategoryGroup = tostring(d.categoryGroup)
)
| project-away input
Category
Enabled
CategoryGroup
Administrative
True
Security
False
ServiceHealth
False
Alert
False
Recommendation
False
Policy
False
Autoscale
False
ResourceHealth
False
AzLogsCoverage
| extend Logs = case(isnull(Logs) or isempty(Logs), 'N/A', Logs)
| extend Metrics = case(isnull(Metrics) or isempty(Metrics), 'N/A', Metrics)
| where Logs <> 'N/A'
| extend LogsDynamic = todynamic(Logs)
| extend MetricsDynamics = todynamic(Metrics)
| mv-expand LogsDynamic, MetricsDynamics
| project SubscriptionId, ResourceId, ResourceName, ResourceType, DiagnosticSettingStatus, DiagnosticSettingId, DiagnosticSettingName, DiagnosticSettingType, LAworkspaceId, LAworkspaceRetentionPeriod,
LogsDynamic.category,LogsDynamic.enabled,LogsDynamic.categoryGroup, MetricsDynamics.category, MetricsDynamics.categoryGroup, MetricsDynamics.enabled, MetricsDynamics.retentionPolicy.enabled , MetricsDynamics.retentionPolicy.days
你能告诉我如何提取 category、enabled 和 categoryGroup 的值吗来自 KQL(Azure Data Explorer) 中的 JSON 列。
低于 JSON 的值正是我在名为“Logs”的列中看到的值。我看到列 Logs 在 table[=13 中定义为 string datatype =]
AzLogsCoverage
| extend Logs = case(isnull(Logs) or isempty(Logs), 'N/A', Logs)
| where Logs <> 'N/A'
| project Logs
| extend LogsCategory = parse_json(Logs).category
[
{
"category": "Administrative",
"enabled": true,
"categoryGroup": null
},
{
"category": "Security",
"enabled": false,
"categoryGroup": null
},
{
"category": "ServiceHealth",
"enabled": false,
"categoryGroup": null
},
{
"category": "Alert",
"enabled": false,
"categoryGroup": null
},
{
"category": "Recommendation",
"enabled": false,
"categoryGroup": null
},
{
"category": "Policy",
"enabled": false,
"categoryGroup": null
},
{
"category": "Autoscale",
"enabled": false,
"categoryGroup": null
},
{
"category": "ResourceHealth",
"enabled": false,
"categoryGroup": null
}
]
如果输入是 string 类型,您首先需要调用 parse_json() on it, to make it of type dynamic.
然后,您可以使用mv-expand/mv-apply扩展数组中的元素,然后您可以显式投影每个元素感兴趣的属性。
例如:
print input = ```[
{
"category": "Administrative",
"enabled": true,
"categoryGroup": null
},
{
"category": "Security",
"enabled": false,
"categoryGroup": null
},
{
"category": "ServiceHealth",
"enabled": false,
"categoryGroup": null
},
{
"category": "Alert",
"enabled": false,
"categoryGroup": null
},
{
"category": "Recommendation",
"enabled": false,
"categoryGroup": null
},
{
"category": "Policy",
"enabled": false,
"categoryGroup": null
},
{
"category": "Autoscale",
"enabled": false,
"categoryGroup": null
},
{
"category": "ResourceHealth",
"enabled": false,
"categoryGroup": null
}
]```
| extend d = parse_json(input)
| mv-apply d on (
project Category = tostring(d.category),
Enabled = tobool(d.enabled),
CategoryGroup = tostring(d.categoryGroup)
)
| project-away input
| Category | Enabled | CategoryGroup |
|---|---|---|
| Administrative | True | |
| Security | False | |
| ServiceHealth | False | |
| Alert | False | |
| Recommendation | False | |
| Policy | False | |
| Autoscale | False | |
| ResourceHealth | False |
AzLogsCoverage
| extend Logs = case(isnull(Logs) or isempty(Logs), 'N/A', Logs)
| extend Metrics = case(isnull(Metrics) or isempty(Metrics), 'N/A', Metrics)
| where Logs <> 'N/A'
| extend LogsDynamic = todynamic(Logs)
| extend MetricsDynamics = todynamic(Metrics)
| mv-expand LogsDynamic, MetricsDynamics
| project SubscriptionId, ResourceId, ResourceName, ResourceType, DiagnosticSettingStatus, DiagnosticSettingId, DiagnosticSettingName, DiagnosticSettingType, LAworkspaceId, LAworkspaceRetentionPeriod,
LogsDynamic.category,LogsDynamic.enabled,LogsDynamic.categoryGroup, MetricsDynamics.category, MetricsDynamics.categoryGroup, MetricsDynamics.enabled, MetricsDynamics.retentionPolicy.enabled , MetricsDynamics.retentionPolicy.days