Home > database >  Data Explorer KQL filtering and mapping JSONs in a list (dynamic type)
Data Explorer KQL filtering and mapping JSONs in a list (dynamic type)

Time:01-03

I want to filter and transform JSONs in an array.

I have the following table:

let fooTable = datatable(str: string, record: dynamic) [
    "name1", dynamic([{"q": "foo", "type": "B1"}]),
    "name2", dynamic([{"q": "bar", "type": "C1"}, {"q": "bar2", "type": "B1"}]),
    "name3", dynamic([{"q": "foo", "type": "C1"}, {"q": "foo2", "type": "C1"}]),
    "name4", dynamic([{"q": "foo", "type": "B1"}]),
    "name5", dynamic([{"q": "b42", "type": "B1"}]),
    "name6", dynamic([{"q": "f42", "type": "C1"}]),
    "name7", dynamic([{"q": "foo", "type": "B1"}])
];

I want to filter the JSONs by "type" field, and do a minor transformation. So let's say I want to filter with "type" "C1", so my output will be:

[
    "name2", dynamic([{"q": "bar", "type": "C1", "qtype": "barC1"}, {"q": "bar2", "type": "B1", "qtype": "bar2B1"}]),
    "name3", dynamic([{"q": "foo", "type": "C1", "qtype": "fooC1"}, {"q": "foo2", "type": "C1", "qtype": "foo2C1"}]),
    "name6", dynamic([{"q": "f42", "type": "C1", "qtype": "f42C1"}
]

I tried the following:

fooTable
| mv-apply v=record on (
    where v.type == "C1"
    | extend r2 = pack(
        "q", v.q,
        "type", v.type,
        "qtype", strcat(v.q, v.type))
    | summarize record = make_list(r2)
    )
| project str, record

But if the type isn't "C1" it simply returns an empty array in the row:

name1   []
name2   [{"q":"bar","type":"C1","qtype":"barC1"}]
name3   [{"q":"foo","type":"C1","qtype":"fooC1"},{"q":"foo2","type":"C1","qtype":"foo2C1"}]
name4   []
name5   []
name6   [{"q":"f42","type":"C1","qtype":"f42C1"}]
name7   []

I want to filter these rows entirely (no empty rows).

CodePudding user response:

Does this work?

let fooTable = datatable(str: string, record: dynamic) [
    "name1", dynamic([{"q": "foo", "type": "B1"}]),
    "name2", dynamic([{"q": "bar", "type": "C1"}, {"q": "bar2", "type": "B1"}]),
    "name3", dynamic([{"q": "foo", "type": "C1"}, {"q": "foo2", "type": "C1"}]),
    "name4", dynamic([{"q": "foo", "type": "B1"}]),
    "name5", dynamic([{"q": "b42", "type": "B1"}]),
    "name6", dynamic([{"q": "f42", "type": "C1"}]),
    "name7", dynamic([{"q": "foo", "type": "B1"}])
];
fooTable
| mv-apply record  on (
 where record.type=="C1"
)
 | summarize make_list(record) by str
str list_record
name2 [
{
"q": "bar",
"type": "C1"
}
]
name3 [
{
"q": "foo",
"type": "C1"
},
{
"q": "foo2",
"type": "C1"
}
]
name6 [
{
"q": "f42",
"type": "C1"
}
]

CodePudding user response:

you could try this:

let fooTable = datatable(str: string, record: dynamic) [
    "name1", dynamic([{"q": "foo", "type": "B1"}]),
    "name2", dynamic([{"q": "bar", "type": "C1"}, {"q": "bar2", "type": "B1"}]),
    "name3", dynamic([{"q": "foo", "type": "C1"}, {"q": "foo2", "type": "C1"}]),
    "name4", dynamic([{"q": "foo", "type": "B1"}]),
    "name5", dynamic([{"q": "b42", "type": "B1"}]),
    "name6", dynamic([{"q": "f42", "type": "C1"}]),
    "name7", dynamic([{"q": "foo", "type": "B1"}])
];
fooTable
| where tostring(record) has '"type":"C1"'
| mv-apply r = record on ( 
    extend record = bag_merge(r, pack("qtype", strcat(r.q, r.type)))
    | summarize record = make_list(record)
)

CodePudding user response:

Does this work?

let fooTable = datatable(str: string, record: dynamic) [
    "name1", dynamic([{"q": "foo", "type": "B1"}]),
    "name2", dynamic([{"q": "bar", "type": "C1"}, {"q": "bar2", "type": "B1"}]),
    "name3", dynamic([{"q": "foo", "type": "C1"}, {"q": "foo2", "type": "C1"}]),
    "name4", dynamic([{"q": "foo", "type": "B1"}]),
    "name5", dynamic([{"q": "b42", "type": "B1"}]),
    "name6", dynamic([{"q": "f42", "type": "C1"}]),
    "name7", dynamic([{"q": "foo", "type": "B1"}])
];
fooTable
| mv-apply record  on (
 where record.type=="C1"
)
| summarize make_list(record) by str

Another option is this:

let fooTable = datatable(str: string, record: dynamic) [
    "name1", dynamic([{"q": "foo", "type": "B1"}]),
    "name2", dynamic([{"q": "bar", "type": "C1"}, {"q": "bar2", "type": "B1"}]),
    "name3", dynamic([{"q": "foo", "type": "C1"}, {"q": "foo2", "type": "C1"}]),
    "name4", dynamic([{"q": "foo", "type": "B1"}]),
    "name5", dynamic([{"q": "b42", "type": "B1"}]),
    "name6", dynamic([{"q": "f42", "type": "C1"}]),
    "name7", dynamic([{"q": "foo", "type": "B1"}])
];
fooTable
| mv-apply record  on (
 where record.type=="C1"
 | summarize make_list(record)
 | where array_length( list_record) > 0
)
str list_record
name2 [
{
"q": "bar",
"type": "C1"
}
]
name3 [
{
"q": "foo",
"type": "C1"
},
{
"q": "foo2",
"type": "C1"
}
]
name6 [
{
"q": "f42",
"type": "C1"
}
]

Page link:https//www.codepudding.com/database/248770.html

Prev:How to mock/create a Firebase Usercredentials object for tests
Next:For anyone who is fluent in Visual Studio, what does "Exception thrown at 0x00007FF651C0A1CA in
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding