Dear Fellow Members,
I am going through the tutorial on ingesting logs through the Azure Log Ingestion API.
At the moment I am at the point where I need to create a DCR for ingesting the logs. I managed to upload the sample logs, and now I would have to set up the schema/transformation rules for the log ingestion.
Now my problem is that the RawMessage part of the ingested logs is basically a JSON document:
[
{
"RawData": "{\"SourceName\":\"Microsoft-Windows-DNSServer\",\"ProviderGuid\":\"{EB79061A-A566-4698-9119-3ED2807060E7}\",\"EventID\":256,\"Version\":0,\"ChannelID\":16,\"Channel\":\"Microsoft-Windows-DNS-Server/Analytical \",\"LevelValue\":4,\"Level\":\"Information \",\"OpcodeValue\":0,\"TaskValue\":1,\"Category\":\"LOOK_UP \",\"Keywords\":\"9223372036854775809\",\"EventTime\":\"2023-04-13T10:22:14.043901+02:00\",\"ExecutionProcessID\":6624,\"ExecutionThreadID\":4708,\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"Hostname\":\"windns\",\"Domain\":\"NT AUTHORITY\",\"AccountName\":\"SYSTEM\",\"UserID\":\"S-1-5-18\",\"AccountType\":\"User\",\"Flags\":\"256\",\"TCP\":\"0\",\"InterfaceIP\":\"172.18.88.20\",\"Source\":\"172.18.88.20\",\"RD\":\"1\",\"QNAME\":\"v10.events.data.microsoft.com.\",\"QTYPE\":\"1\",\"XID\":\"21030\",\"Port\":\"59130\",\"ParsedPacketData\":{\"dns.id\":21030,\"dns.flags.recursion_desired\":\"true\",\"dns.flags.truncated_response\":\"false\",\"dns.flags.authoritative\":\"false\",\"dns.opcode\":\"QUERY\",\"dns.flags.query_or_response\":\"false\",\"dns.response.code\":\"NOERROR\",\"dns.flags.checking_disabled\":\"false\",\"dns.flags.authentic_data\":\"false\",\"dns.flags.recursion_available\":\"false\",\"dns.query\":[{\"dns.query.name\":\"v10.events.data.microsoft.com\",\"dns.query.type\":\"A\",\"dns.query.class\":\"IN\"}]},\"PacketData\":\"0x52260100000100000000000003763130066576656E74730464617461096D6963726F736F667403636F6D0000010001\",\"AdditionalInfo\":\".\",\"GUID\":\"{B021826E-78B1-4574-8B19-0FF06408A144}\",\"EventReceivedTime\":\"2023-04-13T10:22:16.140231+02:00\",\"SourceModuleName\":\"in_windowsdns_auditanalytics_sentinel_windows\",\"SourceModuleType\":\"im_etw\",\"HostIP\":\"172.18.88.20\",\"BufferSize\":\"N/A\"}",
"Time": "2023-04-19T07:30:08.5953753Z",
"Application": "LogGenerator"
}
]
Now that is already in a structured format which should be reasonably easy to parse. However I haven't seen any examples of doing that. I have only encountered JSON parsing examples where the JSON text was contained in some field, and the result of the parsing would be assinged to a different/new field. In this case the JSON content is filled with key-value pairs that should belong to different fields in the new table.
Have any of you encountered a similar situation? If yes, how did you manage to solve it? Is anything like this even possible in a DCR?
source
| parse RawData as json
Thanks,
János
