Customizing Parameter Xml field in Log Analytics Query Result

Microsoft

Hi,

Based on requirement, we ran the following Query in log analytics workspace:

 

Event
| where EventID == 7001

ParameterXml field contains the value in XMl format as follows:

 

<Param>3</Param><Param>"Ramesh"</Param>

 

But we want to extract only the user name from ParameterXml column, so we used the following KQL:

Event
| where EventID == 7001
| extend userinfo=parse_xml(ParameterXml)
| extend Param_ = tostring(userinfo.Param)
| project userinfo,Computer,Param_

 

But the output of userinfo column showed in some sort of simplified manner as below
{"Param":"Ramesh"}

As we used following line

| extend Param_= tostring(userinfo.Param)

we thought of getting a user name but,

Param_ field also displaying number, rather than  username.


It doesn't met our requirement, Suggest a way to get only the username from the column.

0 Replies