This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Expanding action_evtlog_data_fields

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Expanding action_evtlog_data_fields

Go to solution
NathanBradley
L3 Networker

‎05-27-2022 10:23 AM

Is it possible to create an arrayexpand the action_evtlog_data_fields

the below fails to run

 

dataset = xdr_data
| filter event_type = ENUM.EVENT_LOG
| arrayexpand action_evtlog_data_fields
| alter Username=json_extract(action_evtlog_data_fields, "$.TargetUserName")
| alter IP_Address=json_extract(action_evtlog_data_fields, "$.IpAddress")
| fields IP_Address

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
afurze
L4 Transporter

‎05-27-2022 10:50 AM

The field you are attempting to expand is not an array, it is a json field, so that won't work.  If you remove this line from your query like so:

 

dataset = xdr_data
| filter event_type = ENUM.EVENT_LOG
| alter Username=json_extract(action_evtlog_data_fields, "$.TargetUserName")
| alter IP_Address=json_extract(action_evtlog_data_fields, "$.IpAddress")
| fields IP_Address, Username

 

You should get values as you expect!

View solution in original post

3 REPLIES 3

Go to solution
afurze
L4 Transporter

‎05-27-2022 10:50 AM

The field you are attempting to expand is not an array, it is a json field, so that won't work.  If you remove this line from your query like so:

 

dataset = xdr_data
| filter event_type = ENUM.EVENT_LOG
| alter Username=json_extract(action_evtlog_data_fields, "$.TargetUserName")
| alter IP_Address=json_extract(action_evtlog_data_fields, "$.IpAddress")
| fields IP_Address, Username

 

You should get values as you expect!

Go to solution
NathanBradley
L3 Networker
In response to afurze

‎05-27-2022 12:06 PM

Thanks, any documentation out there for items that are either arrays or json fields

0 Likes Likes

Go to solution
afurze
L4 Transporter
In response to NathanBradley

‎05-27-2022 12:52 PM

There is no exhaustive list to my knowledge, however, you can easily tell by looking at the field data.  Well formatted JSON data is always surrounded by curly brackets ('{', '}'), and then uses key-value format, whereas arrays use square brackets ('[', ']') and are simple collections of values.  For example:

 

{

    "store_name": "Sears",

    "store_tags": ["home", "automotive", "defunct"]

}

 

The overall object here is a JSON object, and it contains two keys, one of which has a value which is an array.  If you see a comma separated list of values in square brackets, think array, if you see key-value data inside of curly braces, think JSON!

0 Likes Likes
  • 1 accepted solution
  • 2025 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks