using KQL to Identify the absence of a value within a JSON message
Question
I am storing JSON messages within an ADX table. The datatype of the JSON column is a string. Within the JSON message is an array that looks like this
"FilingEntities": [
{
"FilingEntity": 0,
"FilingMethod": 1,
"FilingSubMethod": -1
},
{
"FilingEntity": 29,
"FilingMethod": 1,
"FilingSubMethod": -1
},
{
"FilingEntity": 66,
"FilingMethod": 2,
"FilingSubMethod": -1
}
]
what I am trying to do is write a query that identifies the messages where there is only one instance of a filing array. For example, it looks like this
"FilingEntities": [
{
"FilingEntity": 0,
"FilingMethod": 1,
"FilingSubMethod": -1
}
]
So far I have been trying to just get the JSON parsed using
EventReceivedRaw
| extend DynamicJson = todynamic(JSONRaw)
| mv-expand DynamicJson
| project UniqueEventGuid, TimeStampInCST, DynamicJson, JSONRaw
but can't really figure out how to interrogate the message to get to the result I am looking for.
1 answers
solution1
0 ACCPTED 2023-02-01 21:39:07
The datatype of the JSON column is a string
for efficiency, you should strongly consider re-typing this column to be dynamic , so that you don't have to do query-time parsing.
what I am trying to do is write a query that identifies the messages where there is only one instance of a filing array
you could use the array_length() function.
for example:
EventReceivedRaw
| extend DynamicJson = todynamic(JSONRaw)
| where array_length(DynamicJson.FilingEntities) == 1
| project UniqueEventGuid, TimeStampInCST, DynamicJson, JSONRaw
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.