Forum Discussion
KQL Syntax Parsing dynamic list of json tuples
Any guidance on how I would go about parsing a dynamic list of tuples within a single event? The example I have attached is a AWS CloudTrail log event with a dynamic list of Security Group polici...
Hi
Have you checked out MVExpand?
That might be what you are looking for: https://docs.microsoft.com/en-us/azure/kusto/query/mvexpandoperator
Have you checked out MVExpand?
That might be what you are looking for: https://docs.microsoft.com/en-us/azure/kusto/query/mvexpandoperator
That worked! Thank you!
AWSCloudTrail
| extend Policies = parse_json(RequestParameters).ipPermissions.items
| mvexpand Policies