问题
I am trying to create a search query for when a Public IP is assigned to a NIC, and then create an alert off that. I can find the part which identifies the assignment, but I need to use "inverted commas" within my search, but I can't...
My query:
AzureActivity
| where OperationName == "Microsoft.Network/networkInterfaces/write" and ActivityStatus == "Started"
| where Properties contains "<>"
Within that "contains", I need to use the following JSON pulled from the properties JSON (which I found doing a search without Properties Contains):
\"provisioningState\":\"Succeeded"\
However, I know I can't use "inverted commas" within an already inverted comma area. Is there a way to allow me to put that inside, perhaps with some sort of cancelling or bracketing?
回答1:
You can use @ for escaping - see here: https://docs.loganalytics.io/docs/Language-Reference/Data-types/string
or, possibly better yet, you can use extractjson (or parsejson) functions https://docs.loganalytics.io/docs/Language-Reference/Scalar-functions/extractjson()
回答2:
I have found my solution, thanks to the links submitted by @Oleg Ananiev.
AzureActivity
| sort by TimeGenerated desc nulls last
| where OperationName == "Microsoft.Network/networkInterfaces/write" and ActivityStatus == "Started"
| where Properties contains '\\"provisioningState\\":\\"Succeeded\\"'
回答3:
A better way to read to the nested property in JSON format using parse_json. For example if you would like to read to provisioningState property's value, simple do the following query
| where parse_json(Properties).provisioningState == 'Succeeded'
Please let me know if that helps!
来源:https://stackoverflow.com/questions/48539597/log-analtyics-how-to-use-inverted-commas-within-search-query