1

can anyone offer a clue on how to do query values within arrays -- such as below, I want to find all records where

DiscoveredInformationTypes_s Confidence > 80

Can anyone help? How do I query inside this array?

MachineName_s
Version_s
ProcessName_s
ApplicationName_s
Operation_s
ObjectId_s
DiscoveredInformationTypes_s
[ { "Confidence": 55, "Count": 1, "SensitiveType": "3356946c-6bb7-449b-b253-6ffa419c0ce7", "UniqueCount": 1, "SensitiveInformationDetections": null, "Name": "International Classification of Diseases (ICD-10-CM)" } ]
Improve this question

1 Answer 1

Reset to default
2

you can use mv-apply: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/mv-applyoperator

for example:

datatable(DiscoveredInformationTypes_s:dynamic)
[
    dynamic([ { "Confidence": 55, "Count": 1, "SensitiveType": "3356946c-6bb7-449b-b253-6ffa419c0ce7", "UniqueCount": 1, "SensitiveInformationDetections": null, "Name": "International Classification of Diseases (ICD-10-CM)" } ]),
    dynamic([ { "Confidence": 81, "Count": 1, "SensitiveType": "3356946c-6bb7-449b-b253-6ffa419c0ce7", "UniqueCount": 1, "SensitiveInformationDetections": null, "Name": "International Classification of Diseases (ICD-10-CM)" } ])
]
| mv-apply DiscoveredInformationTypes_s on (
    where DiscoveredInformationTypes_s.Confidence > 80
)

or, if your column is string-typed and not dynamic-typed, you'll need to invoke parse_json() on it first:

datatable(s:string)
[
    '[ { "Confidence": 55, "Count": 1, "SensitiveType": "3356946c-6bb7-449b-b253-6ffa419c0ce7", "UniqueCount": 1, "SensitiveInformationDetections": null, "Name": "International Classification of Diseases (ICD-10-CM)" } ]',
    '[ { "Confidence": 81, "Count": 1, "SensitiveType": "3356946c-6bb7-449b-b253-6ffa419c0ce7", "UniqueCount": 1, "SensitiveInformationDetections": null, "Name": "International Classification of Diseases (ICD-10-CM)" } ]'
]
| project DiscoveredInformationTypes_s = parse_json(s)
| mv-apply DiscoveredInformationTypes_s on (
    where DiscoveredInformationTypes_s.Confidence > 80
)
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Hi Yoni, not really sure I understand. What is the (d:dynamic) and the other "dynamic"? Sorry to sound a bit dumb, but I also dont understand what the "d on" is? What does mv-apply mean?
I tried this, but it doesnt work... InformationProtectionLogs_CL | mv-apply DiscoveredInformationTypes_s on (where DiscoveredInformationTypes_s.Confidence > 80)
if DiscoveredInformationTypes_s is a string and not a dynamic column, you'll need to first make it dynamic (e.g. by invoking parse_json() on it)
Hi, sorry, but its not that its a string, I dont understand why you have used "d" .. what is d? Ive looked at the syntax on that MS page and I dont understand the terms. Why is there not a simple way just to query the value of one of these list pairs? :( This seems far more complex than needed. Dont get it.
d is just a name of a dynamic-typed column in the example (i've now renamed it to match your original column name - DiscoveredInformationTypes_s is, if that helps). i'm using an inline datatable for the sake of providing you with a reproducible example/query, as obviously only you have access to your table
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.