Question

我正在将一些自定义日志摄取到Azure LogAnalytics。列之一包含嵌套的json对象。我想将每个嵌套对象返回到单独的列值。

正在尝试使用mvexpand语句，但是没有任何运气。

customLog_CL
| extend test = parsejson(target_s)
| mvexpand test

列数据如下所示。

[ { "id": "00phb49dl40lBsasC0h7", "type": "PolicyEntity", "alternateId": "unknown", "displayName": "Default Policy", "detailEntry": "@{policyType=hello}" }, { "id": "0pri9mxp9vSc4lpiU0h7", "type": "PolicyRule", "alternateId": "00phb49dl40lBsasC0h7", "displayName": "All Users Login", "detailEntry": null } ]

Answer 1

请检查是否符合您的要求。

    let hosts_object = parsejson('{"hosts": [ { "id": "00phb49dl40lBsasC0h7", "type": "PolicyEntity", "alternateId": "unknown", "displayName": "Default Policy", "detailEntry": "@{policyType=hello}" }, { "id": "0pri9mxp9vSc4lpiU0h7", "type": "PolicyRule", "alternateId": "00phb49dl40lBsasC0h7", "displayName": "All Users Login", "detailEntry": null } ]}');
    print hosts_object 
    | extend json1 = hosts_object.hosts[0] , json2 = hosts_object.hosts[1]

此输出应如下所示

Additional Documentation Reference

希望这会有所帮助。

Answer 2

我处于完全相同的情况，所以希望我们可以分享知识。我最终做了这样的事情，如果这是正确的方法，或者我有任何错误，老实说我现在不能告诉你（仍在进行数据验证，所以我稍后会更新），但是应该至少可以帮助您入门。

customLog_CL
| mvexpand parsejson(target_s)
| extend Id=target_s["id"]
| extend type=target_s["type"]
| extend OtherId=target_s["alternateId"]
| project Id, type, OtherId

Answer 3

这应该有效：

datatable(d:dynamic)  
[  
    dynamic(  
        [  
            { "id": "00phb49dl40lBsasC0h7", "type": "PolicyEntity", "alternateId": "unknown", "displayName": "Default Policy", "detailEntry": "@{policyType=hello}" },   
            { "id": "0pri9mxp9vSc4lpiU0h7", "type": "PolicyRule", "alternateId": "00phb49dl40lBsasC0h7", "displayName": "All Users Login", "detailEntry": "" }  
        ]  
    )  
]  
| mv-expand(d)  
| project key = tostring(d['id']), value = d
| extend p = pack(key, value)
| summarize bag = make_bag(p)
| evaluate bag_unpack(bag)

Output

Azure LogAnalytics解析JSON数组

3 个答案: