SOLVED

How to use "inverted commas" within search query

Highlighted
New Contributor

Hi, I am trying to create a search query for when a Public IP is assigned to a NIC, and then create an alert off that. I can find the part which identifies the assignment, but I need to use "inverted commas" within my search, but I can't... 

 

My query:

AzureActivity
| where OperationName == "Microsoft.Network/networkInterfaces/write" and ActivityStatus == "Started"
| where Properties contains "<>"
 
Within that "contains", I need to use the following JSON pulled from the properties JSON (which I found doing a search without Properties Contains):
 
\"provisioningState": "Succeeded"\
 
However, I know I can't use "inverted commas" within an already inverted comma area. Is there a way to allow me to put that inside, perhaps with some sort of cancelling or bracketing?
4 Replies
Highlighted
Solution

Hi,

 

Please check out info on strings in KQL here. Since it looks like all your quotes are " and not 's, you can encompass your search terms in ' ... 's, and then use "s within that search unescaped. Backslashes can be escaped via \\. 

 

If that doesn't work, can you please provide a sample (anonymized) of the properties field of one of these entries? I can try and put the right search expression together based on that.

 

Thanks,
-Evgeny

Highlighted

Hi, thanks for the reply, but I'm still having issues with the syntax. Below is a snippet of the properties output (minus my subscription ID). I just need to get the 'provisioning succeeded' part out like i mentioned.

 

{ "requestbody": "{\"name\":\"myvm512\",\"id\":\"/subscriptions/<subscriptionid>/resourceGroups/Env5/providers/Microsoft.Network/networkInterfaces/myvm512\",\"etag\":\"W/\\\"23269d7b-24d6-4ab3-a9ea-1e382f0e84d5\\\"\",\"location\":\"westeurope\",\"properties\":{\"provisioningState\":\"Succeeded\",\"resourceGuid\":\"887448c7-9f48-4c8a-872f-060dea18d987\",\"ipConfigurations\":[{\"name\":\"ipconfig1\",\"id\":\"/subscriptions/<subscriptionid>/resourceGroups/Env5/providers/Microsoft.Network/networkInterfaces/myvm512/ipConfigurations/ipconfig1\",\"etag\":\"W/\\\"23269d7b-24d6-4ab3-a9ea-1e382f0e84d5\\\"\",\"properties\":{\"provisioningState\":\"Succeeded\",\"privateIPAddress\":\"10.0.0.4\",\"privateIPAllocationMethod\":\"Dynamic\",\"subnet\":{\"name\":\"default\",\"id\":\"/subscriptions/<subscriptionid>/resourceGroups/Env5/providers/Microsoft.Network/virtualNetworks/Env5-vnet/subnets/default\",\"etag\":\"W/\\\"f0820dc1-7a9b-4b0d-a309-beb20fcbc63a\\\"\",\"properties\":{\"provisioningState\":\"Succeeded\",\"addressPrefix\":\"10.0.0.0/24\",\"ipConfigurations\":[{\"id\":\"/subscriptions/<subscriptionid>/resourceGroups/Env5/providers/Microsoft.Network/networkInterfaces/myvm512/ipConfigurations/ipconfig1\"}]}},\"primary\":true,\"privateIPAddressVersion\":\"IPv4\",\"loadBalancerBackendAddressPools\":[],\"applicationGatewayBackendAddressPools\":[],\"loadBalancerInboundNatRules\":[],\"publicIPAddress\":{\"id\":\"/subscriptions/<subscriptionid>/resourceGroups/Env5/providers/Microsoft.Network/publicIPAddresses/MyVM\",\"sku\":{\"name\":\"Basic\"},\"zones\":[]}}}],\"dnsSettings\":{\"dnsServers\":[],\"appliedDnsServers\":[]},\"enableAcceleratedNetworking\":false,\"enableIPForwarding\":false,\"networkSecurityGroup\":{\"id\":\"/subscriptions/<subscriptionid>/resourceGroups/Env5/providers/Microsoft.Network/networkSecurityGroups/MyVM-nsg\",\"etag\":\"W/\\\"0ca6ca01-0e79-47aa-a2a0-fa291e89b843\\\"\"},\"primary\":true,\"virtualMachine\":{\"id\":\"/subscriptions/<subscriptionid>/resourceGroups/Env5/providers/Microsoft.Compute/virtualMachines/MyVM\"},\"macAddress\":null,\"migrationPhase\":null},\"type\":\"Microsoft.Network/networkInterfaces\"}" }
Highlighted

I have found the correct syntax to use after the advice above and understanding more from the query language reference. PS: I also had written the wrong query string in the question above, it should have been:     

\"provisioningState\":\"Succeeded"\

Anyway, here is the answer to look for the above string in the properties of a result:

 

AzureActivity
| sort by TimeGenerated desc nulls last
| where OperationName == "Microsoft.Network/networkInterfaces/write" and ActivityStatus == "Started"
| where Properties contains '\\"provisioningState\\":\\"Succeeded\\"' 

 

Highlighted
Just to share my experience. In most cases I always try to use single quotes as it is easier to deal when you have json or some text to filter upon. Would be nice if the intellisense was actually using single quotes.