Stephanos B.
Reputation: 349
Place KQL results into an indexable array
The problem is simple but the soution is not as straight forward.
I have a KQL query for extracting discinct values from a column
let Actions = EventLogs
| distinct DeviceVendor
| summarize action = make_list(Action);
Using the above it does create succesfully an array with distinct values of Action but the array is not indexable, meaning I cannot access its values with Actions[0] in later queries.
Sample results:
> ["Action_1","Action_2","Action_3","Action_4"]
The aim of the query is to get a sample of results per Action category.
e.g.
EventLogs
| where Action == Actions[0]
| take 5
EventLogs
| where Action == Actions[1]
| take 5
There might be a better way of doing this or at least figuring out a way to make the Actions array accessible via index values.
Upvotes: 0
Views: 159
Answers (1)
Yoni L.
Reputation: 25905
you need to use the toscalar() function.
for example:
let EventLogs = datatable(Action: string)
[
"Action1",
"Action2",
"Action3",
]
;
let Actions = toscalar(
EventLogs
| summarize action = make_list(Action)
);
EventLogs
| where Action == Actions[0]
Upvotes: 0
Related Questions
- KQL: bag unpack json into single row
- Logic app, convert run query json results to usuable / readable output (html/excelish?)to use in Sentinel comments for enrichment
- KQL diferent tables
- How to take distinct column values of Rows from big data KQL query output
- Azure Resource Graph Explorer KQL multi-level JSON nesting
- Error getting results on KQL using ipv4_lookup and watchlist functions
- Group data using list KQL
- Can i convert a string into a KQL command?
- Group similar column results into 1 row - KQL - Azure
- Split KQL array into multiple columns