Search code examples
azurekqlazure-log-analytics

Accessing a Kusto extract_all(...) result which is a dynamic([string])

Is below the best way to index into an array-of-arrays-of-strings like what is output from the extract_all() function?

I am after the most terse and direct expression-isolated way to refer to the match[0][0] and match0 values, w/o any side-affects like temp columns from mvexpand.

I feel like there is something easy I am missing to do this.

print x="match first foo and bar, but not another foo and bar"
// extract_all(...) output is dynamic([string]), so 'match' is dynamic([string]) and 'match[0]' is dynamic(string)
// but ... it really is an array-of-arrays for multiple occurrences of multiple capture groups like 'match'.
// how do I index the array within match[0] without reparsing it all via parse_json?
| extend match = extract_all("(foo) and (bar)", x)
| extend first_occurence = match[0]
// I seem to need to do this to get the capture group values, since 'first_occurence' is dynamic(string)
// notes: not using mvexpand on purpose, I want to do this as an expression on the isolated function output; I do not want
// to create temp columns just to hold intermediate values
| extend first_occurence_captures = parse_json(tostring(first_occurence))
| extend myfoo = first_occurence_captures[0]
| extend mybar = first_occurence_captures[1]

The output:

enter image description here

UPDATE: I tried match[0][0] despite the syntax error shown in the Kusto desktop UI. So maybe the real issues is that there is a false syntax error that dissuaded me from trying it.

Here is what I see in my Kusto.Explorer [v1.0.3.1276]

enter image description here

But the output as expected works:

enter image description here

Solution

  • I have reproduced in my environment and below are expected results:

    I tried match[0][0] despite the syntax error shown in the Kusto desktop UI. So maybe the real issues is that there is a false syntax error that dissuaded me from trying it.

    Kql interpreter does not expect [] at that situation, but nested array is available in kql but when we run the query, it compiles successfully and gives us the output like below:

    print x ="match first foo and bar, but not in another c foo and bar"
| extend match = extract_all("(foo) and (bar)", x)
| extend foo = match[0][0] , bar  =match[0][1]

    Output:

    enter image description here

    It is an expected behavior in Kql, If you want to investigate on this further, I would suggest you to open a support ticket on this for further clarification.