Forum Discussion

LodewykV's avatar
LodewykV
Copper Contributor
Oct 23, 2020

Loop through array in KQL

Hi, I've been exploring parsing and noticed that when parsing xml you get dictionaries and arrays.

 

You can't pass those in functions, but you can pass a var of type dynamic, but then to loop you have to make a table and join the table with the query that you ran. Does anybody have any idea of how to loop through an array, I couldn't find anything around this?

  • GaryBushey's avatar
    GaryBushey
    Bronze Contributor

    LodewykV There certainly doesn't appear to be any sort of looping mechanism.  Is there any particular reason you do not want to convert your array into a table to use with a join command?

    • LodewykV's avatar
      LodewykV
      Copper Contributor

      GaryBusheyHi Gary, the main reason would be so that I could make use of data that I pull in form external sources via API calls, as well as using custom connectors and merging them on to existing connectors.

       

      Another reason would be to be able to enrich existing analytical rules.

      • GaryBushey's avatar
        GaryBushey
        Bronze Contributor

        LodewykV All of that can be done using tables and either join or union commands.  I would recommend looking at the "externdata "  and the Watchlist functionality to get external data

Resources