我具有以下属性,需要将其解析为JSON。我尝试使用parse_json(),但不起作用
查询
AzureActivity
| where OperationNameValue == "Microsoft.Authorization/roleAssignments/write"
| where ActivityStatus == "Started"
| where (Properties contains "8e3af657-a8ff-443c-a75c-2fe8c4bcb635") or (Properties contains "b24988ac-6180-42a0-ab88-20f7382dd24c")
| extend request = parse_json(Properties)
| where request.requestbody.Properties.Scope == "/subscriptions/6f5c5be9-a2dd-49c9-bfa1-77d4db790171"
需要解析的原始数据
{“请求主体”: “ {\” Id \“:\” 992a2739-9bd2-4d04-bc5f-5ed1142b9861 \“,\”属性\“:{\” PrincipalId \“:\” 5ac319a4-740b-4f09-9fd3-fce3ce91fedf \“,\ “ RoleDefinitionId \”:\“ / subscriptions / 6f5c5be9-a2dd-49c9-bfa1-77d4db790171 / providers / Microsoft.Authorization / roleDefinitions / 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 \”,\“ Scope \”:\“ / subscriptions / 6f5c5be9-a2dd-49c9-bfa1-77d4db790171 \“}}” }
答案 0 :(得分:1)
看一下this page(在下面也引用)的底部,它解释了以下工作的原因(顺便说一句,请注意,我将replaced contains与{{1} },从效率的角度来看):
has通常有一个JSON字符串描述一个属性包,其中的“插槽”是另一个JSON字符串。
例如:
AzureActivity | where OperationNameValue == "Microsoft.Authorization/roleAssignments/write" | where ActivityStatus == "Started" | where (Properties has "8e3af657-a8ff-443c-a75c-2fe8c4bcb635") or (Properties has "b24988ac-6180-42a0-ab88-20f7382dd24c") | extend request = parse_json(tostring(parse_json(Properties).requestbody)) | project request.Properties.Scope在这种情况下,不仅需要两次调用parse_json,而且还必须确保在第二次调用中将使用tostring。否则,对parse_json的第二次调用将按原样将输入传递给输出,因为其声明的类型是动态的:
let d='{"a":123, "b":"{\\"c\\":456}"}'; print d