This is my least favorite method, my recommendation would be to not put nested XML into Kusto. If you could spare a minute it would be great if you could too. I have provided the feedback through the Azure portal. It would be great if evaluate bag_unpack became available in Azure Resource Graph. And each record had different fields, so using the first method would be rather time consuming. Granted there’s only 3 key value pairs in here, but rest assured in our clients application logs the amount of fields it needed to extract was a lot. Looking at our Azure AD Sign In logs there are a few nested fields. This is what I ended up recommending my coworker to use on their custom logs. Bag_unpack works with JSON and will extract all fields in the nested object and make them they’re own fields. I haven’t tried it in Application Insights, but I would bet it works there as well. This method works in Log Analytics and ostensibly Azure Sentinel. Next up is bag_unpack(), this might be my favorite method. This will work in Log Analytics as well, but since Azure Resource Graph doesn’t have all the available operators and scalar functions, this method is how you do it in Resource Graph.
Resources | where type contains "pute/disks" Lets grab all our IaaS disks with this simple query. Azure Resource Graph doesn’t support the evaluate operator that I’ll show below. Its also useful if you only need to extract a few fields, or in the examples I’ll show below, when you are using Azure Resource Graph. This first method works best for nested JSON fields. There are a few ways of extracting these nested fields with Kusto, depending on which product you are using. Either way you may want the data contained within this nested field. Sometimes in Log Analytics, Azure Resource Graph, Azure Sentinel, pretty much anything that uses Kusto, you will have nested fields. I was already working on the examples of extracting nested fields with Kusto when a coworker had asked about extracting fields out of a custom log that was being sent for an application. Sometimes blogging and a real world solution occur at the exact same time.
Sometimes they are solutions I have worked on recently, sometimes months or even a year has gone by before I finally wrote it down. Pretty much every blog I’ve produced is a real world solution that I have used in production.