User Profile
EricM1375
Copper Contributor
Joined May 20, 2020
User Widgets
Recent Discussions
How to display multi-values
Very new to KQL - so apologies is this if "obvious"! I am creating alerts from Log analytics data to create emails on changes to Network Security Groups. So far so good, I get a nicely formatted table in the alert email - except for the destination port from the LA entry. I can get the value out of the Json with extend destPorts = parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).destinationPortRanges which generates destPorts ["80","443","7547","7647"] how do I now get that into the output as a simply text string - looking exactly like above ["80","443","7547","7647"] The full query is this - illegal at the moment as it says "Path expression destPorts source must be scalar of type 'dynamic'. Received a source of type string instead" AzureActivity | where _ResourceId has "-subnet-nsg" and Properties has "requestbody" | extend Time = format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss') | extend Admin = tostring(parse_json(Properties).caller) | extend resourceGroup_ = tostring(parse_json(Properties).resourceGroup) | extend hierarchy_ = split(tostring(parse_json(Properties).hierarchy), "/") | extend sourcePort = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).sourcePortRange) | extend sourceAdd = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).sourceAddressPrefix) | extend proto = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).protocol) | extend priority_ = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).priority) | extend dir = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).direction) | extend destPort = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).destinationPortRange) | extend destinationApplicationSecurityGroups_ = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).destinationApplicationSecurityGroups))) | extend destAdd = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).destinationAddressPrefix) | extend description_ = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).description) | extend Outcome = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).access) | mv-expand subid=hierarchy_[0], lz=hierarchy_[1], sub=hierarchy_[2] //| project-away hierarchy_ | extend nsgN2 = split(tostring(parse_json(Properties).entity),"/") | extend nsgName = strcat(nsgN2[8],"/",nsgN2[10],"/",nsgN2[10]) | extend destPorts = parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).destinationPortRanges | project Time, Admin, lz, sub, resourceGroup_, nsgName, sourceAdd, sourcePort, destAdd, destPort. destPorts, dir, priority_, description_, proto, Outcome output today looks like: (without destPorts) Insights Top 10 result(s) Time 2021-05-19 09:31:56 Admin xxx.xxx@xxx.com lz xxxx sub Landing-Zones resourceGroup_ xxxx-EUTS-PRD-RG-01 nsgName xxx-euts-prd-connectivity-subnet-nsg/Allow-Outbound-xxxx/Allow-Outbound-xxx sourceAdd xx.xxx.x.xx/28 sourcePort * destAdd yy.yyy.yy.yyy dir Outbound priority_ 3000 proto TCP Outcome Allow this is only an issue when the dest port entry is multi-valued.8.9KViews0likes0CommentsRe: Get-RdsDiagnosticActivities returns no activities, even when setting tenant name and upn
MS_Clouder douglind1 Unofficial answer I was given by MS - "It's not coming back". Is not part of Spring ARM release at all. Guidance is to use Analytics, but I've told them that it's not fast enough - which they heard and fed back to product.2.1KViews0likes0CommentsRe: Get-RdsDiagnosticActivities returns no activities, even when setting tenant name and upn
douglind1 Do you or anybody else know if MS have reenabled this yet? We're still getting no activities to get-rdsdiagnosticsactivity -tenant XXX Analytics is working fine, but is delayed by up to 30 minutes, meaning it's no use solving here and now problems!2.4KViews0likes2Comments
Recent Blog Articles
No content to show