Forum Discussion
How to use "inverted commas" within search query
Hi,
Please check out info on strings in KQL here. Since it looks like all your quotes are " and not 's, you can encompass your search terms in ' ... 's, and then use "s within that search unescaped. Backslashes can be escaped via \\.
If that doesn't work, can you please provide a sample (anonymized) of the properties field of one of these entries? I can try and put the right search expression together based on that.
Thanks,
-Evgeny
MicrosoftHi,
Please check out info on strings in KQL here. Since it looks like all your quotes are " and not 's, you can encompass your search terms in ' ... 's, and then use "s within that search unescaped. Backslashes can be escaped via \\.
If that doesn't work, can you please provide a sample (anonymized) of the properties field of one of these entries? I can try and put the right search expression together based on that.
Thanks,
-Evgeny
Hi, thanks for the reply, but I'm still having issues with the syntax. Below is a snippet of the properties output (minus my subscription ID). I just need to get the 'provisioning succeeded' part out like i mentioned.
{ "requestbody": "{\"name\":\"myvm512\",\"id\":\"/subscriptions/<subscriptionid>/resourceGroups/Env5/providers/Microsoft.Network/networkInterfaces/myvm512\",\"etag\":\"W/\\\"23269d7b-24d6-4ab3-a9ea-1e382f0e84d5\\\"\",\"location\":\"westeurope\",\"properties\":{\"provisioningState\":\"Succeeded\",\"resourceGuid\":\"887448c7-9f48-4c8a-872f-060dea18d987\",\"ipConfigurations\":[{\"name\":\"ipconfig1\",\"id\":\"/subscriptions/<subscriptionid>/resourceGroups/Env5/providers/Microsoft.Network/networkInterfaces/myvm512/ipConfigurations/ipconfig1\",\"etag\":\"W/\\\"23269d7b-24d6-4ab3-a9ea-1e382f0e84d5\\\"\",\"properties\":{\"provisioningState\":\"Succeeded\",\"privateIPAddress\":\"10.0.0.4\",\"privateIPAllocationMethod\":\"Dynamic\",\"subnet\":{\"name\":\"default\",\"id\":\"/subscriptions/<subscriptionid>/resourceGroups/Env5/providers/Microsoft.Network/virtualNetworks/Env5-vnet/subnets/default\",\"etag\":\"W/\\\"f0820dc1-7a9b-4b0d-a309-beb20fcbc63a\\\"\",\"properties\":{\"provisioningState\":\"Succeeded\",\"addressPrefix\":\"10.0.0.0/24\",\"ipConfigurations\":[{\"id\":\"/subscriptions/<subscriptionid>/resourceGroups/Env5/providers/Microsoft.Network/networkInterfaces/myvm512/ipConfigurations/ipconfig1\"}]}},\"primary\":true,\"privateIPAddressVersion\":\"IPv4\",\"loadBalancerBackendAddressPools\":[],\"applicationGatewayBackendAddressPools\":[],\"loadBalancerInboundNatRules\":[],\"publicIPAddress\":{\"id\":\"/subscriptions/<subscriptionid>/resourceGroups/Env5/providers/Microsoft.Network/publicIPAddresses/MyVM\",\"sku\":{\"name\":\"Basic\"},\"zones\":[]}}}],\"dnsSettings\":{\"dnsServers\":[],\"appliedDnsServers\":[]},\"enableAcceleratedNetworking\":false,\"enableIPForwarding\":false,\"networkSecurityGroup\":{\"id\":\"/subscriptions/<subscriptionid>/resourceGroups/Env5/providers/Microsoft.Network/networkSecurityGroups/MyVM-nsg\",\"etag\":\"W/\\\"0ca6ca01-0e79-47aa-a2a0-fa291e89b843\\\"\"},\"primary\":true,\"virtualMachine\":{\"id\":\"/subscriptions/<subscriptionid>/resourceGroups/Env5/providers/Microsoft.Compute/virtualMachines/MyVM\"},\"macAddress\":null,\"migrationPhase\":null},\"type\":\"Microsoft.Network/networkInterfaces\"}" }
I have found the correct syntax to use after the advice above and understanding more from the query language reference. PS: I also had written the wrong query string in the question above, it should have been:
\"provisioningState\":\"Succeeded"\Anyway, here is the answer to look for the above string in the properties of a result:
AzureActivity | sort by TimeGenerated desc nulls last | where OperationName == "Microsoft.Network/networkInterfaces/write" and ActivityStatus == "Started" | where Properties contains '\\"provisioningState\\":\\"Succeeded\\"'
- Just to share my experience. In most cases I always try to use single quotes as it is easier to deal when you have json or some text to filter upon. Would be nice if the intellisense was actually using single quotes.
