I am attempting to parse the output of an Azure AVD log in datadog.
The entrypoint is: @properties.SessionHostHealthCheckResult which contains:
[{"HealthCheckName":0,"HealthCheckResult":1,"AdditionalFailureDetails":{"Message":"","ErrorCode":0,"LastHealthCheckInUTC":"2025-11-07T01:24:35.1223414Z"},"AdditionalDetails":null,"IsProvisioningHealthCheck":false},{"HealthCheckName":1,"HealthCheckResult":1,"AdditionalFailureDetails":{"Message":"","ErrorCode":0,"LastHealthCheckInUTC":"2025-11-07T01:24:38.8314715Z"},"AdditionalDetails":null,"IsProvisioningHealthCheck":false},{"HealthCheckName":3,"HealthCheckResult":1,"AdditionalFailureDetails":{"Message":"SessionHost healthy: SessionHost healthy: SxS stack listener is ready","ErrorCode":0,"LastHealthCheckInUTC":"2025-11-07T01:24:55.0444313Z"},"AdditionalDetails":null,"IsProvisioningHealthCheck":false},{"HealthCheckName":4,"HealthCheckResult":1,"AdditionalFailureDetails":{"Message":"{\"AccessibleUrls\":[\"77be962a-38cb-49da-9cd6-e4d1a7eff6e0.rdbroker-g-us-r1.wvd.microsoft.com\",\"77be962a-38cb-49da-9cd6-e4d1a7eff6e0.rdbroker.wvd.microsoft.com\",\"77be962a-38cb-49da-9cd6-e4d1a7eff6e0.rddiagnostics-g-us-r1.wvd.microsoft.com\",\"rdgateway-host-notgreen-c223-wus2-r1.wvd.microsoft.com\",\"mrsglobalsteus2prod.blob.core.windows.net\",\"gcs.prod.monitoring.core.windows.net\",\"centralus-shared.prod.warm.ingest.monitor.core.windows.net\",\"centralus-qos.prod.warm.ingest.monitor.core.windows.net\"],\"NotAccessibleUrls\":null,\"Context\":null}","ErrorCode":0,"LastHealthCheckInUTC":"2025-11-07T01:24:59.6074422Z"},"AdditionalDetails":null,"IsProvisioningHealthCheck":false},{"HealthCheckName":5,"HealthCheckResult":1,"AdditionalFailureDetails":{"Message":"Located running process at C:\\Program Files\\Microsoft RDInfra\\RDMonitoringAgent_46.24.3\\Agent\\MonAgentLauncher.exe","ErrorCode":0,"LastHealthCheckInUTC":"2025-11-07T01:09:38.5695095Z"},"AdditionalDetails":null,"IsProvisioningHealthCheck":false},{"HealthCheckName":9,"HealthCheckResult":1,"AdditionalFailureDetails":{"Message":"{\r\n \"Details\": \"IMDS pressumed available\",\r\n \"AzureResourceId\": \"/subscriptions/BCENP/resourceGroups/A3VDVDIRSG02D/providers/Microsoft.Compute/virtualMachines/AZBBBBB001-124\",\r\n \"VmId\": \"12a133b5-d0d8-46a4-b7e6-6e638b434de1\"\r\n}","ErrorCode":0,"LastHealthCheckInUTC":"2025-11-07T01:24:40.0460691Z"},"AdditionalDetails":null,"IsProvisioningHealthCheck":false},{"HealthCheckName":10,"HealthCheckResult":1,"AdditionalFailureDetails":{"Message":"SessionHost healthy: MSIX packages have been properly staged","ErrorCode":0,"LastHealthCheckInUTC":"2025-11-07T01:29:12.8268026Z"},"AdditionalDetails":null,"IsProvisioningHealthCheck":false},{"HealthCheckName":11,"HealthCheckResult":1,"AdditionalFailureDetails":{"Message":"NAT shape is Symetric when probing [turn:51.5.255.240:3478?Udp]\nTURN relay health check for server [turn:51.5.255.240:3478?Udp] succeeded\n","ErrorCode":0,"LastHealthCheckInUTC":"2025-11-07T01:31:43.118842Z"},"AdditionalDetails":null,"IsProvisioningHealthCheck":false},{"HealthCheckName":19,"HealthCheckResult":1,"AdditionalFailureDetails":{"Message":"SessionHost healthy: Microsoft Entra ID Join check succeeded. DeviceId: 96a3c0af-5f42-49a1-8ad2-e05f9c948b41.","ErrorCode":0,"LastHealthCheckInUTC":"2025-11-07T01:24:55.3126206Z"},"AdditionalDetails":null,"IsProvisioningHealthCheck":false}]
I have attempted a few different ways to attempt to process it but it always comes out not as I want. Here is an example:
Grok Parser string
rule %{data::keyvalue(":","","")}
Results:
{
"HealthCheckName": [
0,
1,
3,
4,
5,
9,
10,
11,
19
],
"IsProvisioningHealthCheck": [
false,
false,
false,
false,
false,
false,
false,
false,
false
],
"Message": [
"SessionHost healthy: SessionHost healthy: SxS stack listener is ready",
"Located running process at C:\\\\Program Files\\\\Microsoft RDInfra\\\\RDMonitoringAgent_46.24.3\\\\Agent\\\\MonAgentLauncher.exe",
"SessionHost healthy: MSIX packages have been properly staged",
"NAT shape is Symetric when probing [turn:51.5.255.240:3478?Udp]\\nTURN relay health check for server [turn:51.5.255.240:3478?Udp] succeeded\\n",
"SessionHost healthy: Microsoft Entra ID Join check succeeded. DeviceId: 4629425d-2650-47d4-875e-9b222eecd700."
],
"LastHealthCheckInUTC": [
"2025-11-07T01:24:35.1223414Z",
"2025-11-07T01:24:38.8314715Z",
"2025-11-07T01:24:55.0444313Z",
"2025-11-07T01:24:59.6074422Z",
"2025-11-07T01:09:38.5695095Z",
"2025-11-07T01:24:40.0460691Z",
"2025-11-07T01:29:12.8268026Z",
"2025-11-07T01:31:43.118842Z",
"2025-11-07T01:24:55.3126206Z"
],
"HealthCheckResult": [
1,
1,
1,
1,
1,
1,
1,
1,
1
],
"ErrorCode": [
0,
0,
0,
0,
0,
0,
0,
0,
0
]
}
I believe I am looking for something where each health check is self contained.
Something like this:
[
{
"HealthCheckName": 0,
"IsProvisioningHealthCheck": 0,
"Message": "SessionHost healthy: SessionHost healthy: SxS stack listener is ready",
"LastHealthCheckInUTC": "2025-11-07T01:24:35.1223414Z",
"HealthCheckResult": 0,
"ErrorCode": 0
},
{
"HealthCheckName": 1,
"IsProvisioningHealthCheck": 1,
"Message": "SessionHost healthy: MSIX packages have been properly staged",
"LastHealthCheckInUTC": "2025-11-07T01:29:12.8268026Z",
"HealthCheckResult": 1,
"ErrorCode": 1
}
]
Then this would repeat for any number of these in the @properties.SessionHostHealthCheckResult
Additional Note
I did attempt another grok method manually doing it with no luck of course:
HealthCheckName .+\{\"HealthCheckName\"\:%{integer:health_check.name}\,\"HealthCheckResult"\:%{integer:health_check.result}\,\"AdditionalFailureDetails\"\:\{"Message":"","ErrorCode":%{integer:health_check.error_code}\,\"LastHealthCheckInUTC\"\:\"%{date("yyyy-MM-dd'T'HH:mm:ss.SSSSSSS'Z'"):health_check.date}\"\}\,\"AdditionalDetails\"\:%{data:health_check.additional_data}\,\"IsProvisioningHealthCheck\"\:%{boolean:health_check.is_provisioning_health_check}\}\,.+
