Last active
July 18, 2023 16:25
-
-
Save s4parke/c51346f335c6c757106bf04ba1d962b8 to your computer and use it in GitHub Desktop.
KQL double flip JSON conversion
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Billable ingested GB for an AKS cluster resource | |
| // with breakdown by Namespace, 10:1 speed sampling | |
| let _ratio = 0.1; | |
| AzureDiagnostics | |
| | where Resource == "ZZ" | |
| | where rand() < (_ratio) | |
| | extend logs = parse_json(tostring(AdditionalFields.log)) | |
| | extend Namespace = coalesce(tostring(parse_json(logs.responseObject.webhooks[0].clientConfig.service.namespace)), "none") | |
| | summarize BillableDataGB=toint(sum(_BilledSize)/ 1000000)/(_ratio) by Namespace | |
| // Using KQL double backflip parse_json <> tostring conversion | |
| // to extract "Namespace" property from deep JSON object | |
| AzureDiagnostics | |
| | where AdditionalFields.log has 'namespace":"kyverno"' | |
| | extend logs = parse_json(tostring(AdditionalFields.log)) | |
| | extend Namespace = coalesce(tostring(parse_json(logs.responseObject.webhooks[0].clientConfig.service.namespace)), "none") | |
| | take 10 | |
| // Here is another example | |
| // Properties_d.policies[0] is the object we are looking for | |
| AzureActivity | |
| | where CategoryValue == "Policy" | |
| | take 100 | |
| | extend policies = parse_json(tostring(Properties_d.policies)) | |
| | extend policyAssignmentId = tostring(parse_json(policies[0].policyAssignmentName)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment