如何在具有多层的 kusto/data explorer 中扩展 JSON 数据?
[英]How to i expand JSON data in kusto/data explorer that has multiple layers?
问题描述
I am trying to ingest JSON array data (specifically the 'Objects' array) into Azure data explorer, as per this Microsoft article.
根据这篇 Microsoft 文章,我正在尝试将 JSON 数组数据(特别是“对象”数组)提取到 Azure 数据资源管理器中。 (Only the JSON Array section) (仅 JSON 数组部分)
https://learn.microsoft.com/en-us/azure/data-explorer/ingest-json-formats?tabs=kusto-query-language&source=docs#ingest-json-records-containing-arrays https://learn.microsoft.com/en-us/azure/data-explorer/ingest-json-formats?tabs=kusto-query-language&source=docs#ingest-json-records-containing-arrays
My JSON data is different to the example, as it has an additional layer in the JSON, when expanding the raw event row to the second table, the row entered is blank.我的JSON数据和例子不一样,因为它在JSON上多了一层,当把原始事件行展开到第二张表时,输入的行是空的。 I assume the function can't find 'Objects' using the kusto function?我假设 function 无法使用 kusto function 找到“对象”?
.create function EventRecordsExpand() {
rawhsievents
| mv-expand Objects = Event
| project
AlarmState = tostring(Objects["AlarmState"]),
AreaOfInterest = tostring(Objects["AreaOfInterest"]),
Category = tostring(Objects["Category"]),
EncodedMessage = tostring(Objects["EncodedMessage"]),
Fullname = tostring(Objects["Fullname"]),
Id = tolong(Objects["Id"]),
Message = tostring(Objects["Message"]),
ReceiptTime = todatetime(Objects["ReceiptTime"]),
RecordTime = todatetime(Objects["RecordTime"]),
Severity = tostring(Objects["Severity"]),
User = tostring(Objects["User"])
}
An example of my JSON data is below:我的 JSON 数据的示例如下:
{
"ExportedEvents": {
"Header": {
"SystemName": "Mids",
"StartDate": "2020-11-03T12:28:00.55Z",
"EndDate": "2020-11-03T12:28:11.521Z"
},
"Objects": [{
"AlarmState": "",
"AreaOfInterest": "",
"Category": "Action",
"EncodedMessage": "Kernel,469,M(Lib,101,S\"RequestExportXML\")",
"Fullname": "System Resources.XML Interface.Support Processes.Batch Scheduler.Batch Schedule Scanner",
"Id": 456020,
"Message": "RequestExportXML request rejected - Invalid configuration",
"ReceiptTime": "2020-11-03T12:28:00.55Z",
"RecordTime": "2020-11-03T12:28:00.55Z",
"Severity": "Low",
"User": "Schedule"
},
{
"AlarmState": "",
"AreaOfInterest": "",
"Category": "Action",
"EncodedMessage": "Kernel,469,M(Lib,101,S\"RequestExportXML\")",
"Fullname": "System Resources.XML Interface.Support Processes.Batch Scheduler.Batch Schedule Scanner",
"Id": 456020,
"Message": "RequestExportXML request rejected - Invalid configuration",
"ReceiptTime": "2020-11-03T12:28:00.551Z",
"RecordTime": "2020-11-03T12:28:00.551Z",
"Severity": "Low",
"User": "Schedule"
}
]
}
}
Do i need a second mv-expand to expand the data twice?我是否需要第二个 mv-expand 来将数据扩展两次?
1 个解决方案
解决方案1
4 已采纳 2021-01-15 21:00:26
it seems like you're mv-expand ing the wrong dynamic object, and you need to access ExportedEvents.Objects first.看起来你mv-expand是错误的动态 object,你需要先访问ExportedEvents.Objects 。
for example:例如:
datatable(Event:dynamic)
[
dynamic({
"ExportedEvents": {
"Header": {
"SystemName": "Mids",
"StartDate": "2020-11-03T12:28:00.55Z",
"EndDate": "2020-11-03T12:28:11.521Z"
},
"Objects": [{
"AlarmState": "",
"AreaOfInterest": "",
"Category": "Action",
"EncodedMessage": "Kernel,469,M(Lib,101,S\"RequestExportXML\")",
"Fullname": "System Resources.XML Interface.Support Processes.Batch Scheduler.Batch Schedule Scanner",
"Id": 456020,
"Message": "RequestExportXML request rejected - Invalid configuration",
"ReceiptTime": "2020-11-03T12:28:00.55Z",
"RecordTime": "2020-11-03T12:28:00.55Z",
"Severity": "Low",
"User": "Schedule"
},
{
"AlarmState": "",
"AreaOfInterest": "",
"Category": "Action",
"EncodedMessage": "Kernel,469,M(Lib,101,S\"RequestExportXML\")",
"Fullname": "System Resources.XML Interface.Support Processes.Batch Scheduler.Batch Schedule Scanner",
"Id": 456020,
"Message": "RequestExportXML request rejected - Invalid configuration",
"ReceiptTime": "2020-11-03T12:28:00.551Z",
"RecordTime": "2020-11-03T12:28:00.551Z",
"Severity": "Low",
"User": "Schedule"
}
]
}
})
]
| mv-expand Objects = Event.ExportedEvents.Objects
| project
AlarmState = tostring(Objects["AlarmState"]),
AreaOfInterest = tostring(Objects["AreaOfInterest"]),
Category = tostring(Objects["Category"]),
EncodedMessage = tostring(Objects["EncodedMessage"]),
Fullname = tostring(Objects["Fullname"]),
Id = tolong(Objects["Id"]),
Message = tostring(Objects["Message"]),
ReceiptTime = todatetime(Objects["ReceiptTime"]),
RecordTime = todatetime(Objects["RecordTime"]),
Severity = tostring(Objects["Severity"]),
User = tostring(Objects["User"])
returns:回报:
| AlarmState | AreaOfInterest | Category | EncodedMessage | Fullname | Id | Message | ReceiptTime | RecordTime | Severity | User |
|------------|----------------|----------|-------------------------------------------|-----------------------------------------------------------------------------------------|--------|-----------------------------------------------------------|-----------------------------|-----------------------------|----------|----------|
| | | Action | Kernel,469,M(Lib,101,S"RequestExportXML") | System Resources.XML Interface.Support Processes.Batch Scheduler.Batch Schedule Scanner | 456020 | RequestExportXML request rejected - Invalid configuration | 2020-11-03 12:28:00.5500000 | 2020-11-03 12:28:00.5500000 | Low | Schedule |
| | | Action | Kernel,469,M(Lib,101,S"RequestExportXML") | System Resources.XML Interface.Support Processes.Batch Scheduler.Batch Schedule Scanner | 456020 | RequestExportXML request rejected - Invalid configuration | 2020-11-03 12:28:00.5510000 | 2020-11-03 12:28:00.5510000 | Low | Schedule |
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.