I would really appreciate if you could help me with a query that I would need to my report. This is my query:
SecurityAlert
| where ProviderName contains "IPC"
and the result is:
I would need to extract just the AadUserId from Entities but I'm not sure how since I'm still new to the KQL language.
I would be very grateful if you could advice.
Thank you very much.
I expect to extract AadUserID from my query.
Here are a few options
// Sample data generation. Not part of the solution.
let SecurityAlert = datatable(ProviderName:string, Entities:dynamic)
[
"IPC", dynamic([{"AadUserID":"Dummy"}])
];
// Solution starts here
SecurityAlert
| where ProviderName contains "IPC"
| project tostring(Entities[0].AadUserID)
Entities_0_AadUserID
Dummy
Fiddle
// Sample data generation. Not part of the solution.
let SecurityAlert = datatable(ProviderName:string, Entities:dynamic)
[
"IPC", dynamic([{"AadUserID":"Dummy"}])
];
// Solution starts here
SecurityAlert
| where ProviderName contains "IPC"
| mv-expand Entities
| project tostring(Entities.AadUserID)
| where isnotempty(Entities_AadUserID)
Entities_AadUserID
Dummy
Fiddle
// Sample data generation. Not part of the solution.
let SecurityAlert = datatable(ProviderName:string, Entities:dynamic)
[
"IPC", dynamic([{"AadUserID":"Dummy"}])
];
// Solution starts here
SecurityAlert
| where ProviderName contains "IPC"
| mv-apply Entities on (summarize make_set(Entities.AadUserID))
| project set_Entities_AadUserID
set_Entities_AadUserID
["Dummy"]
Fiddle
Related
I need to get the category name from category id using kusto query.
First i have got the most searched url from the website using the below kusto query and ran it in app insights logs
Requests
| where resultCode==200
| where url contains "bCatID"
| summarize count=sum(itemCount) by url
| sort by count
| take 1
From the above query i got the result like
https://www.test.com/item.aspx?idItem=123456789&bCatID=1282
So for corresponding categoryid=1282 i need to get the category name using kusto
you can use the parse operator.
for example:
print input = 'https://www.test.com/item.aspx?idItem=123456789&bCatID=1282'
| parse input with 'https://www.test.com/item.aspx?idItem=123456789&bCatID='category_id:long
parse_urlquery
print url ="https://www.test.com/item.aspx?idItem=123456789&bCatID=1282"
| extend tolong(parse_urlquery(url)["Query Parameters"]["bCatID"])
url
Query Parameters_bCatID
https://www.test.com/item.aspx?idItem=123456789&bCatID=1282
1282
Fiddle
Feedback to the OP query
Not an answer
KQL is case sensitive. The name of the table in Azure Application Insights is requests (and not Requests).
resultCode is of type string (and not integer/long) and should be compared to "200" (and not 200)
bCatID is a token and therefore can be searched using has or even has_cs, which should be preferred over contains due to performance reasons.
URLs can be used with different parameters. It might make more sense to summarize only by the Host & Path parts + the bCatID query parameter.
count is a reserved word. It can be used as alias only if qualified: ["count"] or ['count'] (or better not used at all).
sort followed by take 1 can be replaced with the more elegant top 1 by ...
requests
| where resultCode == "200"
| project url = parse_url(url), itemCount
| summarize sum(itemCount) by tostring(url.Host), tostring(url.Path), tolong(url["Query Parameters"]["bCatID"])
| top 1 by sum_itemCount
The log item looks like below, the currencyamount field has multiple case situation:
{ "AdditionalFields":{
"backendRequestBody":{
"currencyamount":1
} } }
{ "AdditionalFields":{
"backendRequestBody":{
"CurrencyAmount":1
} } }
{ "AdditionalFields":{
"backendRequestBody":{
"currencyAmount":1
} } }
However, the parse_json log query is case sensitive, is there any way to get the currentAmount field case insensitively using azure log query?
The query below only able to get one of the log entry which has lower case currencyamount field.
AzureDiagnostics
| where apiId_s contains "targetId" and AdditionalFields.backendRequestBody has "amount"
| extend amt = (parse_json(tostring(AdditionalFields.backendRequestBody)).currencyamount)
AFAIK, in parse Json we cannot be able to use Incase sensitive Json object. Instead of that you can use following way to achieve.
AzureActivity
| where apiId_s contains "targetId" and AdditionalFields.backendRequestBody has "amount"
| extend backendReqbody = parse_json(AdditionalFields.backendRequestBody)
| extend lowercuramount = parse_json(tostring(parse_json(backendReqbody.currencyamount)))
| extend curamount = parse_json(tostring(parse_json(backendReqbody.CurrencyAmount)))
| extend lowupcuramount = parse_json(tostring(parse_json(backendReqbody.currencyAmount)))
You can use conditions like (iff) Ms -Doc while filtering the data in a result.
Json text isn't parsing in KQL correctly. I tried using parse_json as well but that didn't work either. I did confirm the extend AllProperties is holding the correct data.
DeviceInfo
| where RegistryDeviceTag == "Standard"
| extend AllProperties = todynamic(LoggedOnUsers)
| project DeviceName, Users = AllProperties["Username"]
Output gives me the correct DeviceName but doesn't give any data in the Username field.
(based on the sample input you provided in the comment)
if the array that is "LoggedOnUsers" includes exactly one entry, you can do this:
print input = '[{"UserName":"TheUserName","DomainName":"TheDomainName","Sid":"TheSID#"}]'
| project UserName = parse_json(input)[0].UserName
otherwise, you can use mv-expand or mv-apply:
print input = '[{"UserName":"TheUserName","DomainName":"TheDomainName","Sid":"TheSID#"}]'
| project parse_json(input)
| mv-apply input on (
project UserName = input.UserName
)
I would like to make the following style table output using CouchDB and linked documents:
+----------------+------------+--------------------+
| Title | Date | Number of Comments |
+----------------+------------+--------------------+
| Hello World | 2000-01-01 | 301 |
| Next Question? | 1999-03-04 | 11 |
| Final Post | 1992-04-01 | 64 |
+----------------+------------+--------------------+
I have documents that look like this for posts:
{ _id : 'hello-world', title : 'Hello World', date : '2000-01-01', type : 'post' }
and for comments:
{ _id : 'some-comment', title : 'Great post!', postid: 'hello-world', type : 'comment' }
{ _id : 'some-comment2', title : 'Poor quality', postid: 'final-post', type : 'comment' }
How can I accomplish this? I would prefer to use a single map/reduce.
I'm answering this for myself in case any one else has this question. I think my misunderstand comes from my being used to SQL.
Basically, my options are:
Create a design document view (comments-by-post) that will give me the post._id as the key and the # number of comments for that post. Then, I can stitch this together with the posts obtained by a Mango query or another view in my programming language.
Alternatively, and probably more correctly, I can just create a property called numberOfComments on the post object and update it every time someone comments. This feels wrong from an SQL perspective, but I believe the flexibility of the document database lends itself to this.
I'm choosing to do #1 to begin with and experiment with #2.
In AfterScenario method, I want to get the rows from table "Examples" in Scenario Outline, to get the values in it, and search that specific values in the database
I know that this can be achieved by using Context.Scenario.Current...
Context.Scenario.Current[key]=value;
...but for some reason I'd like to be able to get it in a simpler way
like this:
ScenarioContext.Current.Examples();
----------- SCENARIO --------------------------------
Scenario Outline: Create a Matter
Given I create matter "< matterName >"
Examples:
| matterName |
| TAXABLE |
----------AFTER SCENARIO -----------------------------------
[AfterScenario()]
public void After()
{
string table = ScenarioContext.Current.Examples();
}
So if you look at the code for ScenarioContext you can see it inherits from SpecflowContext which is itself a Dictionary<string, object>. This means that you can simply use Values to get the collection of values, but I have no idea if they are Examples or not.
The best solution I came up with was to infer the examples by keeping my own static singleton object, then counting how many times the same scenario ran.
MyContext.Current.Counts[ScenarioContext.Current.ScenarioInfo.Title]++;
Of course, this doesn't work very well if you don't run all the tests at the same time or run them in random order. Having a table with the examples themselves would be more ideal, but if you combine my technique along with using ScenarioStepContext you could extract the parameters of the Examples table out of the rendered step definition text itself.
Feature
Scenario Outline: The system shall do something!
Given some input <input>
When something happens
Then something should have happened
Examples:
| input |
| 1 |
| 2 |
| 3 |
SpecFlow Hook
[BeforeStep]
public void BeforeStep()
{
var text = ScenarioStepContext.Current.StepInfo.Text;
var stepType = ScenarioStepContext.Current.StepInfo.StepDefinitionType;
if (text.StartsWith("some input ") && stepType == StepDefinitionType.Given)
{
var input = text.Split(' ').Last();
}
}