cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

String to Column KQL

Rajtoor
Copper Contributor

‎Jan 18 2023 09:01 AM

‎Jan 18 2023 09:01 AM

String to Column KQL

I want to extend DetectionMethods which is string data type in emailevents table. But this may apply to other tables and situations,

 

 

EmailEvents
| take 1000
| extend kqlt=parse_json(DetectionMethods) 
| extend DM_Phish=kqlt.Phish, DM_Spam=kqlt.Spam

 

 

 

Above results in adding this, 

Rajtoor_0-1674059475136.png

 

Values are still displayed as ["Value"] and not Value

 

Is there a better way to do this. How can I bring the value out of [""]

--------------------

If the string had more keys , is there a way to dynamically create columns. Seems like bag_unpack does it but I cannot use those in query such as filtering with where.

 

 

 

{"Phish":["Spoof external domain"],"Spam":["Mixed analysis detection"]}

 

 

 

 

Labels:
493 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by Rajtoor (Copper Contributor)
GBushey

‎Jan 20 2023 09:48 AM

‎Jan 20 2023 09:48 AM

Solution

Re: String to Column KQL

Have you tried to use "mv-expand" on the columns?
1 Like
Reply