Azure Log Analytics KQL:如何从动态大小的 AuditLog AdditionalDetails 字段中投影特定键值
问题描述 投票:0回答:1
“如何在 KQL 中找到动态数组中的特定元素?”
我正在尝试生成一段时间内特权角色激活的表。 除此之外,我希望拥有属性“TicketSystem”和“TicketNumber”的列。 这些出现在“附加属性”字段中。 这似乎是一个动态捕获的列表或数组。 但由于这是动态大小的列表或数组(某些字段是可选的并且并不总是存在),我无法索引固定位置。 我必须在元素内部搜索适当的键名称 相反。
我现在有一些类似的事情:
AuditLogs
| where TimeGenerated > now() - 7d
| where Category == 'RoleManagement'
| where
TargetResources contains "Global Administrator"
and
(
OperationName contains "Add member to role completed (PIM activation)"
or OperationName contains "Add eligible member to role in PIM completed"
or OperationName contains "Add member to role outside of PIM"
or OperationName contains "Add member to role request approved (PIM activation)"
)
| extend _InitiatedByUPN = parse_json(InitiatedBy.user.userPrincipalName)
| extend _Target_displayName = parse_json(TargetResources).[0].displayName
| extend _Target_type = parse_json(TargetResources).[1].type
| extend AD = parse_json(AdditionalDetails)
| project format_datetime(ActivityDateTime,'yyyy-MM-dd HH:mm:ss'), Identity, _InitiatedByUPN, OperationName, _Target_displayName, ResultReason, AD.TicketSystem, AD.TicketNumber
但它为 AD.TicketSystem 和 AD.TicketNumber 列提供了空条目。
我根据类似的问题和答案尝试了各种修改,但都失败了。
1个回答
0
投票
投票
我根据您的查询创建了一个示例。所以回答你的问题:
使用
mv-expand AdditionalDetailslet AuditLogs = datatable (
TimeGenerated: datetime,
Category: string,
TargetResources: string,
OperationName: string,
InitiatedBy: dynamic,
AdditionalDetails: dynamic,
ActivityDateTime: datetime,
Identity: string,
ResultReason: string
)
[
datetime(2024-06-28T10:00:00Z), "RoleManagement", '[{"displayName":"Global Administrator"},{"type":"Role"}]', "Add member to role completed (PIM activation)", dynamic({"user":{"userPrincipalName":"[email protected]"}}), dynamic([{"key":"TicketSystem", "value":"ServiceNow"}, {"key":"TicketNumber", "value":"INC001"}]), datetime(2024-06-28T10:00:00Z), "user1", "Success",
datetime(2024-06-29T11:00:00Z), "RoleManagement", '[{"displayName":"Global Administrator"},{"type":"Role"}]', "Add eligible member to role in PIM completed", dynamic({"user":{"userPrincipalName":"[email protected]"}}), dynamic([{"key":"TicketSystem", "value":"Jira"}, {"key":"TicketNumber", "value":"TKT002"}]), datetime(2024-06-29T11:00:00Z), "user2", "Success",
datetime(2024-06-30T12:00:00Z), "RoleManagement", '[{"displayName":"Global Administrator"},{"type":"Role"}]', "Add member to role outside of PIM", dynamic({"user":{"userPrincipalName":"[email protected]"}}), dynamic([{"key":"TicketSystem", "value":"ServiceNow"}, {"key":"TicketNumber", "value":"INC003"}, {"key":"TicketNumber", "value":"INC004"}, {"key":"TicketNumber", "value":"INC005"}]), datetime(2024-06-30T12:00:00Z), "user3", "Failure",
datetime(2024-07-01T13:00:00Z), "RoleManagement", '[{"displayName":"Global Administrator"},{"type":"Role"}]', "Add member to role request approved (PIM activation)", dynamic({"user":{"userPrincipalName":"[email protected]"}}), dynamic([{"key":"TicketSystem", "value":"Jira"}, {"key":"TicketNumber", "value":"TKT004"}]), datetime(2024-07-01T13:00:00Z), "user4", "Success",
datetime(2024-07-02T14:00:00Z), "RoleManagement", '[{"displayName":"Global Administrator"},{"type":"Role"}]', "Add member to role completed (PIM activation)", dynamic({"user":{"userPrincipalName":"[email protected]"}}), dynamic([{"key":"TicketSystem", "value":"ServiceNow"}, {"key":"TicketNumber", "value":"INC005"}]), datetime(2024-07-02T14:00:00Z), "user5", "Success",
datetime(2024-07-03T15:00:00Z), "RoleManagement", '[{"displayName":"User"},{"type":"Role"}]', "Add member to role outside of PIM", dynamic({"user":{"userPrincipalName":"[email protected]"}}), dynamic([{"key":"TicketSystem", "value":"Jira"}, {"key":"TicketNumber", "value":"TKT006"}]), datetime(2024-07-03T15:00:00Z), "user6", "Failure"
];
AuditLogs
| where TimeGenerated >= ago(7d)
| where Category == 'RoleManagement'
| where
TargetResources contains "Global Administrator"
and
(
OperationName contains "Add member to role completed (PIM activation)"
or OperationName contains "Add eligible member to role in PIM completed"
or OperationName contains "Add member to role outside of PIM"
or OperationName contains "Add member to role request approved (PIM activation)"
)
| extend _InitiatedByUPN = InitiatedBy.user.userPrincipalName
| extend _Target_displayName = parse_json(TargetResources)[0].displayName
| extend _Target_type = parse_json(TargetResources)[1].type
| mv-expand AdditionalDetails
| extend TicketSystem = tostring(AdditionalDetails.key)
| extend TicketNumber = tostring(AdditionalDetails.value)
| project format_datetime(ActivityDateTime,'yyyy-MM-dd HH:mm:ss'),
Identity,
_InitiatedByUPN,
OperationName,
_Target_displayName,
ResultReason,
TicketSystem,
TicketNumber
在此处查找示例代码。
结果:
最新问题
- 将元素作为同级元素追加到元素之后? [重复]
- @typescript-eslint/recommended-type-checked 未找到不正确的函数参数类型
- unity - 如何让 2D 画布在 3D 世界空间中跟随 NPC?
- 以_开头的变量名是什么意思?
- 如何在Python中为实体定义一个好的数据结构?
- 如何用数组元素构造和连接数据框或系列?
- Java如何将密码从文件传递到进程
- regex_replace 为 jinja 模板中的 var 内容
- 如何使用将 CSV 转换为工作表的 Excel 脚本处理空白值
- 参数类型“DropzoneFileInterface”无法分配给参数类型“File”?
- XCode 项目给出构建错误,提示 Linker Command failed with exit code 1(使用 -v 查看调用),Xcode 16.2,Mac OS Sonoma
- 代码空间中的 vue 语法高亮显示
- 如何从我的 Roblox 市场产品页面获取销售价值?
- 我的 API 请求没有得到答复,我的程序正在等待
- Checkstyle 建议不可能的常量排序
- react-dropzone 参数acceptedFiles 隐式具有any 类型
- 在本地测试 SpringBoot appsail 应用程序时出现“adminAuthHeaderType is null”错误
- Case 语句返回多行中的值,即使使用 Group By 语句
- (Exception $e) 和 (\Exception $e) 之间的区别[重复]
- MAUI ObservableCollection 未触发转换器
© www.soinside.com 2019 - 2024. All rights reserved.