Aug 20 2021 01:16 AM
Hi,
We are working on creating a custom connector to ingest the data in Azure Sentinel. We are now working on parsers, and we are trying to replicate the data fields as in Splunk. In Splunk, the inner fields of a List of Dictionaries can be individually represented. say for eg. a is a list of dictionaries
a = [
{b: null, c: "string1"},
{b: "string2", c: "string3"}
]
In Splunk we can represent a{}.b = null, a{}.b="string2"
But we are trying to do the same in Azure, and we actually are not able to do it, we can give column a{}.b only one value, from the list of values, say a{}.b=null or string2
Can someone please help me determine how to access inner of fields of a multi valued fields, or how to represent the multiple values under one name field, say a{}.b?
Aug 20 2021 10:38 AM
You can write parser similar to this,
e.g.
SigninLogs {Table Name}
AuthenticationDetails {Field Name}
[0:authenticationMethod
0: authenticationStepRequirement]
[1: authenticationStepRequirement]
[2: authenticationMethod]
Parser:
SigninLogs
| extend AuthenticationMethod = tostring(parse_json(AuthenticationDetails)[0].authenticationMethod)
| extend authenticationStepRequirement = tostring(parse_json(AuthenticationDetails)[0].authenticationStepRequirement)
| extend authenticationStepRequirement1 = tostring (parse_json(AuthenticationDetails)[1].authenticationStepRequirement)
| extend authenticationMethod = tostring(parse_json(AuthenticationDetails)[2].authenticationMethod)
| project AuthenticationMethod, authenticationStepRequirement,authenticationStepRequirement1,authenticationMethod
Or you can share sample logs for better help.
Aug 23 2021 10:11 PM
Hi, Thanks for your response
Actually in the above method suggested, it will be only possible if we know the length of the list, or we know how many dictionary items are present in the list.
If in the example I provided
a = [
{b: null, c: "string1"},
{b: "string2", c: "string3"}
.....
{b: "string3", c: "null"}]
we don't know the length, then how should I implement the logic.
Aug 25 2021 04:15 AM
Hi @Ronak_Shah,
Try this code,
SigninLogs
| project DeviceDetail
| evaluate bag_unpack(DeviceDetail)
bag_unpack will Parse all the values inside it .
Check this Blog: https://www.cloudsma.com/2020/01/extracting-nested-fields-kusto/