How can I get a specific parameter field using KQL ?

Hello everyone, I'd like to make a little table dashboard with the following request OfficeActivity | where OfficeWorkload == "Exchange" | where Operation == "Add-MailboxPermission" Then pr...

GaryBushey
Apr 20, 2020
Alexander_Ceyran you can do something like this. Since Parameters stores a JSON array you can convert it to a dynamic type and then use the mv-expand command to expand each entry in the array into its own row and then filter the rows

OfficeActivity
| where OfficeWorkload == "Exchange"
| where Operation == "Add-MailboxPermission"
| extend test = (todynamic(Parameters))
| mv-expand(test)
| where test contains "DomainController"

Alexander_Ceyran

Copper Contributor

Apr 20, 2020

Thanks GaryBushey, that solves it for me

GaryBushey

Bronze Contributor

May 20, 2020

Alexander_Ceyran Something else I just stumbled across. If you do not want to create a new row per item but rather a new column you can do something like:

| extend tmp = parse_json(Properties)

| extend newResource = tmp.resource

Where "resource" in "tmp.resource" is the name of a field in the Properties column

Forum Discussion

How can I get a specific parameter field using KQL ?

Resources