Log Analtyics - How to use "inverted commas" within search query - azure-log-analytics

I am trying to create a search query for when a Public IP is assigned to a NIC, and then create an alert off that. I can find the part which identifies the assignment, but I need to use "inverted commas" within my search, but I can't...
My query:
AzureActivity
| where OperationName == "Microsoft.Network/networkInterfaces/write" and ActivityStatus == "Started"
| where Properties contains "<>"
Within that "contains", I need to use the following JSON pulled from the properties JSON (which I found doing a search without Properties Contains):
\"provisioningState\":\"Succeeded"\
However, I know I can't use "inverted commas" within an already inverted comma area. Is there a way to allow me to put that inside, perhaps with some sort of cancelling or bracketing?

You can use # for escaping - see here:
https://docs.loganalytics.io/docs/Language-Reference/Data-types/string
or, possibly better yet, you can use extractjson (or parsejson) functions
https://docs.loganalytics.io/docs/Language-Reference/Scalar-functions/extractjson()

I have found my solution, thanks to the links submitted by #Oleg Ananiev.
AzureActivity
| sort by TimeGenerated desc nulls last
| where OperationName == "Microsoft.Network/networkInterfaces/write" and ActivityStatus == "Started"
| where Properties contains '\\"provisioningState\\":\\"Succeeded\\"'

A better way to read to the nested property in JSON format using parse_json. For example if you would like to read to provisioningState property's value, simple do the following query
| where parse_json(Properties).provisioningState == 'Succeeded'
Please let me know if that helps!

Related

Splunk field extractor unable to extract all values

I want to extract 4 values out of one field, called msg, from a Splunk query; and the msg is in the form of:
msg: "Service call successful k1=v1 k2=v2 k3=v3 k4=v4 k5=v5 something else can be ignored"
keys are always static but values are not, for instance, v2 could be XXX or XXYYZZ; similarly possible values for v3 just have unpredictable length.
I query to get some sample results and hope to use Field Extractor to generate a regex, but the regex generated can't get all the values out and I guess it's probably because values are not having the same length?
Do I need to change my logging format by separating each key=value using a common? Or I am not using the field extractor correctly?
[Update1]: A few sample data:
msg:Service call successful k1=XXX k2=BBBB k3=Something I made up k4=YYYNNN k5=do not need to retrieve this value
msg:Service call successful k1=SSSSSS k2=AAA k3=This could contain space and comma, like this one k4=YYYNNM k5=can be ignored
I could change the logging format if it makes easier to query and extract fields. Will adding a separator like dot or pipe help?
Normally Splunk will pull key-value pairs out automatically
However, when it doesn't, go try your regular expression(s) on regex101 - the field extractor is often a good[ish] start, but rarely creates efficient (or complete) regular expressions
An inline version of this would be as follows (presuming the "value" half of the key-value pair is contiguous characters):
| rex field=_raw "k1=(?<k1>\S+)\s+k2=(?<k2>\S+)\s+k3=(?<k3>\S+)\s+k4=(?<k4>\S+)\s+k5=(?<k5>\S+)"
Normally I prefer to do sequential rex calls, in case something's out of order or missing, but if your data's consistent, this will work
Once you have it the way you want it, update your props.conf and transforms.conf as appropriate for the sourcetype
EDIT for updated sample data / comment response:
...
| rex field=_raw "k3=(?<k3>.+)\s+k4="
| rex field=_raw "k4=(?<k4>.+)\s+k5="
...

How can I put several extracted values from a Json in an array in Kusto?

I'm trying to write a query that returns the vulnerabilities found by "Built-in Qualys vulnerability assessment" in log analytics.
It was all going smoothly I was getting the values from the properties Json and turning then into separated strings but I found out that some of the terms posses more than one value, and I need to get all of them in a single cell.
My query is like this right now
securityresources | where type =~ "microsoft.security/assessments/subassessments"
| extend assessmentKey=extract(#"(?i)providers/Microsoft.Security/assessments/([^/]*)", 1, id), IdAzure=tostring(properties.id)
| extend IdRecurso = tostring(properties.resourceDetails.id)
| extend NomeVulnerabilidade=tostring(properties.displayName),
Correcao=tostring(properties.remediation),
Categoria=tostring(properties.category),
Impacto=tostring(properties.impact),
Ameaca=tostring(properties.additionalData.threat),
severidade=tostring(properties.status.severity),
status=tostring(properties.status.code),
Referencia=tostring(properties.additionalData.vendorReferences[0].link),
CVE=tostring(properties.additionalData.cve[0].link)
| where assessmentKey == "1195afff-c881-495e-9bc5-1486211ae03f"
| where status == "Unhealthy"
| project IdRecurso, IdAzure, NomeVulnerabilidade, severidade, Categoria, CVE, Referencia, status, Impacto, Ameaca, Correcao
Ignore the awkward names of the columns, for they are in Portuguese.
As you can see in the "Referencia" and "CVE" columns, I'm able to extract the values from a specific index of the array, but I want all links of the whole array
Without sample input and expected output it's hard to understand what you need, so trying to guess here...
I think that summarize make_list(...) by ... will help you (see this to learn how to use make_list)
If this is not what you're looking for, please delete the question, and post a new one with minimal sample input (using datatable operator), and expected output, and we'll gladly help.

How do I evaluate value which potentially is not supplied?

I'm trying to make Azure monitor workbook with Azure Resource Graph (ARG) query as backend. There is dropdown presented to use to choose datetime value which is passed as parameter to ARG to filter results. It's expressed as {dateCreated:start} value in query. This works fine as long as there is something selected by user in dropdown, problem is that if nothing is selected in datetime field then condition essentially becomes coalesce(todatetime(),todatetime('2016-11-09T02:53:17.4582226Z')) which obviously fails validation logic since todatetime() expects something being passed to it. Is there something in KQL which will allow to overcome this?
Resources
| where type == 'microsoft.compute/virtualmachines'
| where tags['datecreated'] > coalesce(todatetime({dateCreated:start}),todatetime('2016-11-09T02:53:17.4582226Z') )
iff() and isempty() will do the trick for you:
Resources
| where type == 'microsoft.compute/virtualmachines'
| where tags['datecreated'] > iff(isempty({dateCreated:start}), todatetime('2016-11-09T02:53:17.4582226Z'), todatetime({dateCreated:start}))

Using a filter in part of a string

I have a filter that formats a number based on what stat type it is (percent, integer, currency, etc). I want to use this filter on a value as part of a string. See below:
<js-widget
v-on:click="this.selectedReportId = key"
:selected="this.selectedReportId == key"
:icon="report.icon"
:stat="report.current | stat report.statType"
:title="report.title"
:tooltip="report.tooltip"
:percent="report.percent"
:description="'Previous value: '+(report.past | stat report.statType)">
</js-widget>
As you can see in the :stat parameter, I can use the filter if it is the only thing in the expression. But when it tries to evaluate the :description parameter, I get Error when evaluating expression. Is it possible to use a filter in this way?
It's been very long since the question was asked, but if someone searches, I happen to know the solution.
First there is a way to call a filter from inside the vue component. Actually all filters are stored in the
this.$options.filters
collection. So if you want to call a filter from inside the component you should do
...
this.$options.filters.stat(report.past, report.statType)
...
And if you want to do the same from the markup, you should also call filter not like filter (| syntax), but like the component method
<js-widget
v-on:click="this.selectedReportId = key"
:selected="this.selectedReportId == key"
:icon="report.icon"
:stat="report.current | stat report.statType"
:title="report.title"
:tooltip="report.tooltip"
:percent="report.percent"
:description="'Previous value: '+ $options.filters.stat(report.past, report.statType)">
</js-widget>
Or, better, with template string
:description = "`Previous value: ${$options.filters.stat(report.past, report.statType)}`"
The filter is something available outside of the expression you are evaluating – so that's not going to work syntactially
I would use a computed property instead. For more information, see http://vuejs.org/guide/computed.html.

Splunk: Extracting multiple fields with the same name

I am using Splunk to index logs with multiple fields with the same name. All fields have the same meaning:
2012-02-22 13:10:00,ip=127.0.0.1,to=email1#example.com,to=email2#example.com
In the automatic extraction for this event, I only get "email1#example.com" extracted for the "to" field. How can I make sure all the values are extracted?
Thanks!
I think adding this to the end of the search this may do it:
| extract pairdelim="," kvdelim="=" mv_add=t | table to
(the 'table' is just for demonstration).
So, I think, in 'transforms.conf' (from http://docs.splunk.com/Documentation/Splunk/latest/admin/transformsconf) put:
[my-to-extraction]
DELIMS = ",", "="
MV_ADD = true
and reference it in 'props.conf':
[eventtype::my_custom_eventtype]
REPORT-to = my-to-extraction
where 'eventtype::my_custom_eventtype' could be anything that works as a 'props.conf' specification (<spec> in http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf).