Place KQL results into an indexable array

39 Views Asked by Stephanos B. At 14 March 2024 at 11:24

The problem is simple but the soution is not as straight forward.

I have a KQL query for extracting discinct values from a column

let Actions = EventLogs
| distinct DeviceVendor
| summarize action = make_list(Action);

Using the above it does create succesfully an array with distinct values of Action but the array is not indexable, meaning I cannot access its values with Actions[0] in later queries.

Sample results:

>  ["Action_1","Action_2","Action_3","Action_4"]

The aim of the query is to get a sample of results per Action category.

e.g.

EventLogs
| where Action == Actions[0]
| take 5

EventLogs
| where Action == Actions[1]
| take 5

There might be a better way of doing this or at least figuring out a way to make the Actions array accessible via index values.

Original Q&A

There are 1 best solutions below

Yoni L. On 14 March 2024 at 14:54

you need to use the toscalar() function.

for example:

let EventLogs = datatable(Action: string)
[
    "Action1",
    "Action2",
    "Action3",
]
;
let Actions = toscalar(
    EventLogs
    | summarize action = make_list(Action)
);
EventLogs
| where Action == Actions[0]

Place KQL results into an indexable array

There are 1 best solutions below

Related Questions in KQL

Related Questions in AZURE-SENTINEL

Trending Questions

Popular # Hahtags

Popular Questions