Forum Discussion
Loop through array in KQL
Hi, I've been exploring parsing and noticed that when parsing xml you get dictionaries and arrays. You can't pass those in functions, but you can pass a var of type dynamic, but then to loop you ...
LodewykV There certainly doesn't appear to be any sort of looping mechanism. Is there any particular reason you do not want to convert your array into a table to use with a join command?
GaryBusheyHi Gary, the main reason would be so that I could make use of data that I pull in form external sources via API calls, as well as using custom connectors and merging them on to existing connectors.
Another reason would be to be able to enrich existing analytical rules.
LodewykV All of that can be done using tables and either join or union commands. I would recommend looking at the "externdata " and the Watchlist functionality to get external data
GaryBusheyHi Gary, thanks for the recommendation. I'm using the externaldata operator to do an api call and am parsing the data using mv-expand and parse_json, although I've got to use the loop functionality in playbooks to be able to do what I want to do.
I'll have a look at watchlists though.
