Forum Discussion

Copper Contributor

Aug 20, 2021

Internal fields have multiple values in Parsers

Hi, We are working on creating a custom connector to ingest the data in Azure Sentinel. We are now working on parsers, and we are trying to replicate the data fields as in Splunk. In Splunk, the ...

Ronak_Shah

Copper Contributor

Aug 24, 2021

deshantshukla

Hi, Thanks for your response

Actually in the above method suggested, it will be only possible if we know the length of the list, or we know how many dictionary items are present in the list.
If in the example I provided

a = [

{b: null, c: "string1"},

{b: "string2", c: "string3"}

.....
{b: "string3", c: "null"}]
we don't know the length, then how should I implement the logic.

deshantshukla

MCT

Aug 25, 2021

Hi Ronak_Shah,

Try this code,

SigninLogs
| project DeviceDetail
| evaluate bag_unpack(DeviceDetail)

bag_unpack will Parse all the values inside it .

Check this Blog: https://www.cloudsma.com/2020/01/extracting-nested-fields-kusto/