Forum Discussion

Ronak_Shah's avatar
Ronak_Shah
Copper Contributor
Aug 20, 2021

Internal fields have multiple values in Parsers

Hi,

 

We are working on creating a custom connector to ingest the data in Azure Sentinel. We are now working on parsers, and we are trying to replicate the data fields as in Splunk. In Splunk, the inner fields of a List of Dictionaries can be individually represented. say for eg. a is a list of dictionaries

a = [

{b: null, c: "string1"},

{b: "string2", c: "string3"}

]

In Splunk we can represent a{}.b = null, a{}.b="string2"

But we are trying to do the same in Azure, and we actually are not able to do it, we can give column a{}.b only one value, from the list of values, say a{}.b=null or string2

Can someone please help me determine how to access inner of fields of a multi valued fields, or how to represent the multiple values under one name field, say a{}.b?

3 Replies

  • deshantshukla's avatar
    deshantshukla
    MCT
    Aug 20, 2021

    Ronak_Shah 

     

    You can write parser similar to this, 

    e.g.

    SigninLogs {Table Name}
    AuthenticationDetails {Field Name}
    [0:authenticationMethod
    0: authenticationStepRequirement]
    [1: authenticationStepRequirement]
    [2: authenticationMethod]

     

    Parser:

    SigninLogs
| extend  AuthenticationMethod = tostring(parse_json(AuthenticationDetails)[0].authenticationMethod)
| extend authenticationStepRequirement = tostring(parse_json(AuthenticationDetails)[0].authenticationStepRequirement)
| extend authenticationStepRequirement1 = tostring (parse_json(AuthenticationDetails)[1].authenticationStepRequirement)
| extend authenticationMethod = tostring(parse_json(AuthenticationDetails)[2].authenticationMethod)
| project AuthenticationMethod, authenticationStepRequirement,authenticationStepRequirement1,authenticationMethod

     

    Or you can share sample logs for better help.  

    • Ronak_Shah's avatar
      Ronak_Shah
      Copper Contributor
      Aug 24, 2021

      deshantshukla 

       

      Hi, Thanks for your response

      Actually in the above method suggested, it will be only possible if we know the length of the list, or we know how many dictionary items are present in the list.
      If in the example I provided

      a = [

      {b: null, c: "string1"},

      {b: "string2", c: "string3"}

      .....
      {b: "string3", c: "null"}]
      we don't know the length, then how should I implement the logic.

Resources