Internal fields have multiple values in Parsers

Occasional Contributor



We are working on creating a custom connector to ingest the data in Azure Sentinel. We are now working on parsers, and we are trying to replicate the data fields as in Splunk. In Splunk, the inner fields of a List of Dictionaries can be individually represented. say for eg. a is a list of dictionaries

a = [

{b: null, c: "string1"},

{b: "string2", c: "string3"}


In Splunk we can represent a{}.b = null, a{}.b="string2"

But we are trying to do the same in Azure, and we actually are not able to do it, we can give column a{}.b only one value, from the list of values, say a{}.b=null or string2

Can someone please help me determine how to access inner of fields of a multi valued fields, or how to represent the multiple values under one name field, say a{}.b?

3 Replies



You can write parser similar to this, 


SigninLogs {Table Name}
AuthenticationDetails {Field Name}
0: authenticationStepRequirement]
[1: authenticationStepRequirement]
[2: authenticationMethod]



| extend  AuthenticationMethod = tostring(parse_json(AuthenticationDetails)[0].authenticationMethod)
| extend authenticationStepRequirement = tostring(parse_json(AuthenticationDetails)[0].authenticationStepRequirement)
| extend authenticationStepRequirement1 = tostring (parse_json(AuthenticationDetails)[1].authenticationStepRequirement)
| extend authenticationMethod = tostring(parse_json(AuthenticationDetails)[2].authenticationMethod)
| project AuthenticationMethod, authenticationStepRequirement,authenticationStepRequirement1,authenticationMethod


Or you can share sample logs for better help.  



Hi, Thanks for your response

Actually in the above method suggested, it will be only possible if we know the length of the list, or we know how many dictionary items are present in the list.
If in the example I provided

a = [

{b: null, c: "string1"},

{b: "string2", c: "string3"}

{b: "string3", c: "null"}]
we don't know the length, then how should I implement the logic.

Hi @Ronak_Shah,


Try this code,

| project DeviceDetail
| evaluate bag_unpack(DeviceDetail)



bag_unpack will Parse all the values inside it .


Check this Blog: