1

我正在处理由以下查询产生的 JSON 数据(如下)。

SignInLogs
| project AddtionalDetails

结果

[{"value":"test.com","key":"TenantId"},{"value":"PC100921","key":"PolicyId"},{"value":"f4525425-60ff-42a7-acf4-f88c4266431f","key":"ApplicationId"},{"value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36","key":"Client"},{"value":"SMS","key":"VerificationMethod"},{"value":"+1232123211","key":"PhoneNumber"},{"value":"e000::5890, 128.1.1.1","key":"ClientIpAddress"},{"value":"https://test.com","key":"DomainName"}]

我想使用 query 访问特定的字段,例如 PolicyId SignInLogs | Policy=extractjson("$.[1].value", tostring(AdditionalDetails)) | project Policy 。但是,由于不能保证字段的顺序和它们的存在,所以不能总是[1]用作索引。

有没有更好的方法来访问不承诺订购和可用性的 JSON 字段?与其他语言一样,您可以通过键名检查空引用和访问。

4

1 回答 1

4

像这样的东西?

let T =datatable(AdditionalDetails:dynamic )[dynamic([{"value":"test.com","key":"TenantId"},{"value":"PC100921","key":"PolicyId"},{"value":"f4525425-60ff-42a7-acf4-f88c4266431f","key":"ApplicationId"},{"value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36","key":"Client"},{"value":"SMS","key":"VerificationMethod"},{"value":"+1232123211","key":"PhoneNumber"},{"value":"e000::5890, 128.1.1.1","key":"ClientIpAddress"},{"value":"https://test.com","key":"DomainName"}])];
T
| mv-apply AdditionalDetails on ( 
    extend IP = iif(AdditionalDetails.key=="ClientIpAddress", tostring(AdditionalDetails.value), ""), 
           PolicyId = iif(AdditionalDetails.key=="PolicyId", tostring(AdditionalDetails.value), "")
   | where isnotempty(IP) or isnotempty( PolicyId) 
   | summarize take_any(IP), take_any(PolicyId)
)
知识产权 策略 ID
e000::5890, 128.1.1.1 PC100921
于 2022-01-13T14:37:07.050 回答