0

In my azure monitor log output, data is in array format, I want to use kusto query and fetch that array data in tabular format. Could you please help how to do this, without pasting JSON array manually in KQL.

JSON Output array :

{
    "count": 6,
    "value": [
        {
            "Total_Record_Count": 6,
            "date": "2021-02-01"
        },
        {
            "Total_Record_Count": 4,
            "date": "2020-11-02"
        },
        {
            "Total_Record_Count": 6,
            "date": "2020-10-01"
        },
        {
            "Total_Record_Count": 1,
            "date": "2020-09-01"
        },
        {
            "Total_Record_Count": 3,
            "date": "2020-08-03"
        },
        {
            "Total_Record_Count": 18,
            "date": "2020-07-01"
        }   
    ]
}

I want Kusto query output like :

Total_Record_Count        Date
6                         2021-03-01
4                         2021-02-01
6                         2021-01-01
1                         2020-12-01
3                         2020-11-01
18                        2020-10-01
Improve this question

1 Answer 1

Reset to default
1

Here you go:

Table
| project d.value
| mv-expand d_value
| project RecordCount = d_value['Total_Record_Count'], Date = d_value['date']

Explanation:

  1. First you have to extract the value by doing YourDynamicColumnName.value, or YourDynamicColumnName['value'] - these are the same.

  2. The next step is to use mv-expand in order to split the array into multiple records (see doc for more info).

  3. As a last step you'll need to extract the two values from every cell, again, by using the following syntax: ColumnName.Key or ColumnName['Key'] (the two are identical).

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Here we need to paste JSON Array every time in the query? Cant we do it in automatic way, mentioning ADFPipelinename and ADFActivityName then parse_json(Output).Total_Record_Count. something like this..
No, you don't need to paste the json. I just put it here as an example. The actual query that you need is the last 4 lines of what I wrote. I'll update the answer by deleting the sample json, in order not to confuse the others.
I dont have table here.. data is in JSON array format.. I searched and everywhere solution is given: pasting json code and using mv-expand in query..
You wrote "data is in JSON array format" - but where does this data reside? If it's in a table, then you'll indeed need mv-expand, and then use the solution I provided.
I am fetching data from Azure monitor, In Log analytics using Log management functions like : ADFPipeline, Pipelinename, ADFActivity, ActivittyName, etc.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.