Forum Discussion
How to execute a returned KQL query
Hi,
Quick visualisation of one data record:
| ID | 1001 |
| Description | Sample Query |
| Query | {some KQL query} |
I would like to get the query and execute it all within a KQL statement, something like this:
SampleTable
| where ID == '1001'
| extend results = run_query(Query)
| extend results_parsed = parse_json(results)
| {count number of results, get the description of first 10 and add to query output}
Thanks!
dimmi
3 Replies
- If you are referring to a compressed query in the results, there is some sort of workaround, you can extract the compressed text and decompress it in an extended field
For example in the Azure Security Alert Table
Table
| project CompressedQuery = tostring(parse_json(ExtendedProperties).Query)
| extend Compressed = extract(@"\['([^;]+)']",1,CompressedQuery)
|extend raw = todynamic(zlib_decompress_from_base64_string(Compressed))
I hope that helps - hello Dimmi, were you able to find a way. I am trying to do the same.
