I want to extend the query result with specific values, but I do not know how to get only a fragment of information, the one that is in the screen, that is, for example, from the "rendereddescription" section, I only need information about "server_principal_name" and assign it to some value, e.g. "user" and this I know this needs to be resolved | extend "variable name" = i here i do not know what the syntax is.enter image description here
you can use the parse operator: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/parseoperator
for example:
print RenderDescription = #"... 0000000000 session_server_principal_name:ABB\HPAM-TCS-DB10 server_principal_sid:01050000000 ...."
| parse RenderDescription with * "session_server_principal_name:" session_server_principal_name " " *
RenderDescription
session_server_principal_name
... 0000000000 session_server_principal_name:ABB\HPAM-TCS-DB10 server_principal_sid:01050000000 ....
ABB\HPAM-TCS-DB10
Related
I have a list which is in below format
A = [ "machine's code" ,"max's code"]
I want to convert to that list to string and pass it to a query. I am using python for this.
I am trying with below query and not giving required results
for i in A:query=Select * from table where name='"+str(A)+"'"
Expected code should be :
Select * from table where name="machine's code"
list_of_queries = []
for element in A:
query = f'Select * from table where name="{el}"'
list_of_queries.append(query)
as pointed out by others here, this pattern should be only used internally, as it creates some sql injection security risks.
I'm querying azure log analytics using Kusto, and extracting fields with the parse operator, then keeping only the records which parsed correctly:
traces
| parse message with "Search found " people " people in " groupCount " groups"
| where people != "" and groupCount != ""
| order by n desc
Is there a more terse way of parsing and dropping non-matching rows? If I am parsing out a lot of columns from a set of logs, maybe containing partial matches, this connascence between the parse and where gets fiddly.
By comparison, in SumoLogic, the parse operator automatically drops all rows which don't match a parsed pattern, which makes for really tidy pipelines:
*
| parse "Search found * people in * groups" as people, groupCount
| order by n desc
In Kusto: 'parse' operator does not auto-filter rows that does not match the provided pattern, and operator works as in mode of 'extend' - adding more columns.
If you would like to filter specific row - the recommendation is to use 'where' operator before the 'parse': this will also improve performance as 'parse' will have fewer rows to scan.
traces
| where message startswith 'Search found'
| parse message with "Search found " people " people in " groupCount " groups"
...
There's now a built in operator that will do this: parse-where
https://learn.microsoft.com/en-us/azure/kusto/query/parsewhereoperator
It has syntax just like parse, but will omit from its output any records which didn't match the parse pattern.
So the query:
traces
| parse message with "Search found " people " people in " groupCount " groups"
| where people != "" and groupCount != ""
| order by n desc
becomes:
traces
| parse-where message with "Search found " people " people in " groupCount " groups"
| order by n desc
I want a single search query for below splunk query.
First search will give me a dynamic field myorderid
index=mylog "trigger.rule: Id - * : Unexpected System Error" | rex field=_raw "Id -""(?[^:]*)" | table myorderid
I want to pass the above myorderid in below search criteria
index=mylog API=Order orderid=myorderid
Can anyone please help me to create a single query using subsearch in splunk.
Have you tried the obvious?
index=mylog API=Order orderid=
[ search index=mylog "trigger.rule: Id - * : Unexpected System Error"
| rex "Id - (?<myorderid>[^:]*)" | fields myorderid ]
I have a virtual table created using fts5:
import sqlite3
# create a db in memory
con = sqlite3.connect(':memory:')
con.execute('create virtual table operators using fts5(family, operator, label, summary, tokenize=porter)')
# some sample data
samples = {'insideTOP':
{'label':'Inside',
'family':'TOP',
'summary':'The Inside TOP places Input1 inside Input2.'
},
'inTOP':
{'label':'In',
'family':'TOP',
'summary':'The In TOP is used to create a TOP input.'
},
'fileinSOP':
{'label':'File In',
'family':'SOP',
'summary':'The File In SOP allows you to read a file'
}
}
# fill db with those values
for operator in samples.keys():
opDescr = samples[operator]
con.executescript("insert into operators (family, operator, label, summary) values ('{0}','{1}','{2}','{3}');".format(opDescr['family'],operator,opDescr['label'],opDescr['summary']))
with following columns
+--------+-----------+------------+----------------------------------------------+
| family | operator | label | summary |
+--------+-----------+------------+----------------------------------------------+
| TOP | insideTOP | Inside | The Inside TOP places Input1 inside Input2.|
| TOP | inTOP | In | The In TOP is used to create a TOP input. |
| SOP | fileinSOP | File In | The File In SOP allows you to read a file |
+--------+-----------+------------+----------------------------------------------+
an example query is:
# query the db
query = "select operator from operators where operators match 'operator:In*' or operators match 'label:In*' order by family, bm25(operators)"
result = con.execute(query)
for row in result:
print(row)
And as a result I get
fileinSOP
insideTOP
inTOP
For this particular case though, I'd actually like the 'inTOP' to appear before the 'insideTOP' as the label is a perfect match.
What would be a good technique to be able to massage these results the way I'd like them?
Thank you very much
Markus
maybe you can put your order rule in the question.
If you use bm25 to order your results, you can't achieve the result you want
I suggest you that you can use your custom rank function, like below sql:
query = "select operator from operators where operators match 'operator:In*' or operators match 'label:In*' order by myrank(family, operators)"
define a custom rank function is very easy in fts5, you can follow the guide in the fts5 website.
if you also want bm25 result as a rank score, you can get the score in the rank method can calculate your final score.
I have a field named field, and I would like to see if it is null, but I get an error in the query, my code is this:
let
Condition= Excel.CurrentWorkbook(){[Name="test_table"]}[Content],
field= Condition{0}[fieldColumn],
query1="select * from students",
if field <> null then query1=query1 & " where id = '"& field &"',
exec= Oracle.Database("TESTING",[Query=query1])
in
exec
but I get an error in the condition, do you identify the mistake?
I got Expression.SyntaxError: Token Identifier expected.
You need to assign the if line to a variable. Each M line needs to start with an assignment:
let
Condition= Excel.CurrentWorkbook(){[Name="test_table"]}[Content],
field= Condition{0}[fieldColumn],
query1="select * from students",
query2 = if field <> null then query1 & " some stuff" else " some other stuff",
exec= Oracle.Database("TESTING",[Query=query2])
in
exec
In query2 you can build the select statement. I simplified it, because you also have conflicts with the double quotes.
I think you're looking for:
if Not IsNull(field) then ....
Some data types you may have to check using IsEmpty() or 'field is Not Nothing' too. Depending on the datatype and what you are using.
To troubleshoot, it's best to try to set a breakpoint and locate where the error is happening and watch the variable to prevent against that specific value.
To meet this requirement, I would build a fresh Query using the PQ UI to select the students table/view from Oracle, and then use the UI to Filter the [id] column on any value.
Then in the advanced editor I would edit the generated FilteredRows line using code from your Condition + field steps, e.g.
FilteredRows = Table.SelectRows(TESTING_students, each [id] = Excel.CurrentWorkbook(){[Name="test_table"]}{0}[fieldColumn])
This is a minor change from a generated script, rather than trying to write the whole thing from scratch.