How can I get a specific parameter field using KQL ?

%3CLINGO-SUB%20id%3D%22lingo-sub-1321430%22%20slang%3D%22en-US%22%3EHow%20can%20I%20get%20a%20specific%20parameter%20field%20using%20KQL%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1321430%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-body%20lia-component-message-view-widget-body%20lia-component-body-signature-highlight-escalation%20lia-component-message-view-widget-body-signature-highlight-escalation%22%3E%3CDIV%20class%3D%22lia-message-body-content%22%3E%3CP%3EHello%20everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'd%20like%20to%20make%20a%20little%20table%20dashboard%20with%20the%20following%20request%3C%2FP%3E%3CP%3EOfficeActivity%3CBR%20%2F%3E%7C%20where%20OfficeWorkload%20%3D%3D%20%22Exchange%22%3CBR%20%2F%3E%7C%20where%20Operation%20%3D%3D%20%22Add-MailboxPermission%22%3CBR%20%2F%3E%3CBR%20%2F%3EThen%20project%20the%20columns%20TimeGenerated%2C%20%3CSTRONG%3EParameters.Value%20(for%20the%20Identity%20field)%3C%2FSTRONG%3E%20and%20%3CSTRONG%3EParameters.Value%20(for%20the%20AccessRight%20field)%3C%2FSTRONG%3E%2C%20and%20UserId.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can't%20get%20to%20the%20parameters%20part%20because%20sometimes%20the%20fields%20I'm%20interested%20in%20are%20%3CSTRONG%3Ein%20the%20table%20in%20position%200%20or%201%20or%202%20or%203%20(constantly%20changing%20for%20same%20log%20type).%3C%2FSTRONG%3E%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Capture1.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F185373i1BF09BBE25300178%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Capture1.PNG%22%20alt%3D%22Capture1.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20any%20solution%20to%20get%20the%20specific%20parameter%20field%20(example%20the%20Value%20when%20Name%20%3D%20Identity)%20for%20every%20log%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20a%20lot%3C%2FP%3E%3CP%3EAlexander%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1321430%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1322006%22%20slang%3D%22en-US%22%3ERe%3A%20How%20can%20I%20get%20a%20specific%20parameter%20field%20using%20KQL%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1322006%22%20slang%3D%22en-US%22%3EDo%20not%20click%20this%20link%20it%20is%20a%20fake%20domain%20trying%20to%20steal%20credentials!!%3CBR%20%2F%3EThe%20domain%20is%20not%20owned%20by%20Microsoft%20and%20was%20registered%20this%20morning.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello everyone,

 

I'd like to make a little table dashboard with the following request

OfficeActivity
| where OfficeWorkload == "Exchange"
| where Operation == "Add-MailboxPermission"

Then project the columns TimeGenerated, Parameters.Value (for the Identity field) and Parameters.Value (for the AccessRight field), and UserId.

 

I can't get to the parameters part because sometimes the fields I'm interested in are in the table in position 0 or 1 or 2 or 3 (constantly changing for same log type).

 

Capture1.PNG

 

Do you have any solution to get the specific parameter field (example the Value when Name = Identity) for every log ?

 

Thanks a lot

Alexander

1 Reply
Do not click this link it is a fake domain trying to steal credentials!!
The domain is not owned by Microsoft and was registered this morning.