1

already I'm facing a problem which is the inability to loop an array of objects using Kusto Query Language. The Table (Events) is under this form.

Event Entities
Ev1 [{"$id":"1","Name":"Ilyes Tab","UPNSuffix":"gmail.com","Type":"account"}, {"$id":"2","Name":"John Smith","UPNSuffix":"gmail.com","Type":"account"}]
Ev2 [{"$id":"3","Name":"william Red","UPNSuffix":"gmail.com","Type":"account"}, {"$id":"5","Name":"Steve Smith","UPNSuffix":"gmail.com","Type":"account"}, {"$id":"8","Name":"Reshald M","UPNSuffix":"gmail.com","Type":"account"}]
Ev3 [{"$id":"4","Name":"Fred Stalone","UPNSuffix":"gmail.com","Type":"account"}]

I want to loop into each object of the column "Entities" then I'm going to save the Names of these entities within a new column which will be under this form.

AllEntities
Ilyes Tab
John Smith
william Red
Steve Smith
Reshald M
Fred Stalone

Already I have worked around this problem by looping manually into each object, this is the code I managed to develop.

Events 
| project Event, 
 Entities1=tostring(parse_json(Entities)[0].Name) 
,Entities2=tostring(parse_json(Entities)[1].Name) 
,Entities3=tostring(parse_json(Entities)[2].Name) 
,Entities4=tostring(parse_json(Entities)[3].Name), 
| project AllEntities = coalesce(Entities1,Entities2,Entities3,Entities4) 
| summarize count() by AllEntities

I'm asking if anyone can offer me a solution or a function to make my loop automatically.

Improve this question
5
  • Per SO guidelines - please remove the images and provide the data in textual format (datatable / CSV / markdown table) Commented Nov 5, 2022 at 13:06
  • The code makes no sense, especially the use of coalesce. What is you end game here? Commented Nov 5, 2022 at 13:39
  • Hi david, thank you for your response. you will find here my table. storage19985645.blob.core.windows.net/data2/Classeur.csv Commented Nov 5, 2022 at 16:38
  • 👍🏽. And the required results? Commented Nov 5, 2022 at 16:46
  • Also, are you sure that Entities is of string type, and not dynamic? Commented Nov 5, 2022 at 16:53

1 Answer 1

Reset to default
0

KQL is a declarative language, similarly to SQL, and declarative languages do not use control flow commands (e.g., if, goto or loop), but provide special syntax / operators / functions that deal with complex types.

KQL provides the following operators:

datatable(Event:string, Entities:string)
[ 
    'Ev1' ,'[{"$id":"1","Name":"Ilyes Tab","UPNSuffix":"gmail.com","Type":"account"}, {"$id":"2","Name":"John Smith","UPNSuffix":"gmail.com","Type":"account"}]'
   ,'Ev2' ,'[{"$id":"3","Name":"william Red","UPNSuffix":"gmail.com","Type":"account"}, {"$id":"5","Name":"Steve Smith","UPNSuffix":"gmail.com","Type":"account"}, {"$id":"8","Name":"Reshald M","UPNSuffix":"gmail.com","Type":"account"}]'
   ,'Ev3' ,'[{"$id":"4","Name":"Fred Stalone","UPNSuffix":"gmail.com","Type":"account"}]'
]    
| mv-expand parse_json(Entities)
| project AllEntities = tostring(Entities.Name)
AllEntities
Ilyes Tab
John Smith
william Red
Steve Smith
Reshald M
Fred Stalone

Fiddle

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thank you sir, I am most satisfied with your response which totally covered my needs.
Great to hear. Please close the loop by accepting the answer.
It's done David

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.