multiple if and else within kql azure
Trying to write a kql query where date should be populated in the "date" column based on the if condition :-
If RawData has a string starting with "" then the result of this - substring(RawData, 0, 1900) which is a date should be populated in the column Date.
If RawData has a string starting with "DD" or "II" then result of this- substring(RawData, 22, 1900) which is a date should be populated in the column Date.
And similarly there are 2-3 more conditions. How to implement this? I was trying something like this -
T
| project Date=substring(RawData, 0, 24), RawData
| project Date, RawData=substring(RawData, 0, 1900)
| project Date = iff(RawData contains_cs "||", "substring(RawData, 22,
1900)","substring(RawData, 0, 1900)"), RawData
Solution
As far as I have understood your question, you could do the following:
let T = datatable (
RawData: string
)
[
"DD 2024-07-31 23:25:01.434 Callingfunctionality . II 2024-07-31 23:25:01.412 calling refer-functionality performance tune"
];
T
| extend SplitDD = split(split(RawData, "DD ")[1], " ")
| extend SplitII = split(split(RawData, "II ")[1], " ")
| extend DateDD = todatetime(strcat(SplitDD[0], " ", SplitDD[1]))
| extend DateII = todatetime(strcat(SplitII[0], " ", SplitII[1]))
| project DateDD, DateII
So using extend essentially and split.
Here is a working Sample.
UPDATE 2 (with union):
let T = datatable (
RawData: string
)
[
"DD 2024-07-31 23:25:01.434 Callingfunctionality . II 2024-07-31 23:25:01.412 calling refer-functionality performance tune"
];
let DD =
T
| extend Split = split(split(RawData, "DD ")[1], " ")
| extend Date = todatetime(strcat(Split[0], " ", Split[1]))
| project Date;
let II =
T
| extend Split = split(split(RawData, "II ")[1], " ")
| extend Date = todatetime(strcat(Split[0], " ", Split[1]))
| project Date;
union DD, II
Here is this working sample.
Result:
- How to resolve paging when retrieving data from REST API in R
- SearchService deployment fails if the resource exists
- Azure Bicep - Referencing a variable that cannot be calculated at the start
- Local development with Azure SignalR Service and Azure Functions
- Azure Functions & Application Insights requests "Operation Link" empty
- Disabling allow public blob access using terraform
- how to retrieve all resources under given subnet using Azure Resource Graph Explorer query
- I'm using SSIS in ADF to move .csv from a blob container to another and then ingest into a Azure SQL database. I get an assembly error
- How to build expression in ADF from json using parameterized variable?
- Reference a variable azure pipeline not working
- Graph Powershell adding a user to PIM for a privileged security group
- Indexing static HTML blob storage content with Azure Cognitive Search is not working as expected
- Azure python webapp deploy shows as running even though it is successful
- Azure pipeline get Pull request source and target branch name
- Error while copying Azure Storage table from one Storage to another storage table using Powershell script
- Azure Function App Fails to Delete Blob Image After Deployment
- Use Azure AD authentication but manage roles in database in .NET 6
- Microsoft Azure VMs IaaS or PaaS?
- Can an application property be updated/deleted from a ServiceBusReceivedMessage?
- Why is my Blazor Web App throwing a SocketException when authenticating with OpenIddict when deployed to Azure App Service?
- RPC failed: curl 56 failure when receiving data from the peer
- Read 'Attribute & Claims' from SAML Entra application configuration using PowerShell
- Reading Excel file returns 'Invalid Request' error
- Is it possible to clone an Azure Container App?
- Unable to Enable Encryption at host for Azure VM
- Application Insights does not capture information level logging
- How to look up logical partition count and size in Cosmos DB
- AzureRmWebAppDeployment@4 tries to deploy to a wrong URL to Linux app plan
- Azure B2C client credentials flow throws invalid_grant AADB2C90085
- Why I can't create azurerm_app_service connection?