Forum Discussion
Rajtoor
Jan 18, 2023Copper Contributor
String to Column KQL
I want to extend DetectionMethods which is string data type in emailevents table. But this may apply to other tables and situations,
EmailEvents
| take 1000
| extend kqlt=parse_json(DetectionMethods)
| extend DM_Phish=kqlt.Phish, DM_Spam=kqlt.Spam
Above results in adding this,
Values are still displayed as ["Value"] and not Value
Is there a better way to do this. How can I bring the value out of [""]
--------------------
If the string had more keys , is there a way to dynamically create columns. Seems like bag_unpack does it but I cannot use those in query such as filtering with where.
{"Phish":["Spoof external domain"],"Spam":["Mixed analysis detection"]}
- Have you tried to use "mv-expand" on the columns?
- GBusheyMicrosoftHave you tried to use "mv-expand" on the columns?