Forum Discussion
Using KQL queries to dive into dynamic arrays Azure Log Analytics
I'm running this command to break out the dynamic arrays IntuneAuditLogs | where TimeGenerated > ago(7d) | extend propertiesJson = todynamic(Properties) | extend propertiesTargets = todynamic(...
If you know the Index number and field, then you can modify a query like this one to suit?
SecurityAlert
//| where DisplayName == "Detected suspicious DNS resolution"
| extend entities = todynamic(Entities)
| project AlertName ,
TimeGenerated,
Description = parse_json(entities[0].HostName) ,
osFamily =parse_json(entities[1].OSFamily)
CliveWatson, What if I have a scenario where multiple IPs and users are under entities field?
What I am trying to do is get the IP addresses under one single variable and the list of user IDs under another one!