multiple if and else within kql azure
Trying to write a kql query where date should be populated in the "date" column based on the if condition :-
If RawData has a string starting with "" then the result of this - substring(RawData, 0, 1900) which is a date should be populated in the column Date.
If RawData has a string starting with "DD" or "II" then result of this- substring(RawData, 22, 1900) which is a date should be populated in the column Date.
And similarly there are 2-3 more conditions. How to implement this? I was trying something like this -
T
| project Date=substring(RawData, 0, 24), RawData
| project Date, RawData=substring(RawData, 0, 1900)
| project Date = iff(RawData contains_cs "||", "substring(RawData, 22,
1900)","substring(RawData, 0, 1900)"), RawData
Solution
As far as I have understood your question, you could do the following:
let T = datatable (
RawData: string
)
[
"DD 2024-07-31 23:25:01.434 Callingfunctionality . II 2024-07-31 23:25:01.412 calling refer-functionality performance tune"
];
T
| extend SplitDD = split(split(RawData, "DD ")[1], " ")
| extend SplitII = split(split(RawData, "II ")[1], " ")
| extend DateDD = todatetime(strcat(SplitDD[0], " ", SplitDD[1]))
| extend DateII = todatetime(strcat(SplitII[0], " ", SplitII[1]))
| project DateDD, DateII
So using extend essentially and split.
Here is a working Sample.
UPDATE 2 (with union):
let T = datatable (
RawData: string
)
[
"DD 2024-07-31 23:25:01.434 Callingfunctionality . II 2024-07-31 23:25:01.412 calling refer-functionality performance tune"
];
let DD =
T
| extend Split = split(split(RawData, "DD ")[1], " ")
| extend Date = todatetime(strcat(Split[0], " ", Split[1]))
| project Date;
let II =
T
| extend Split = split(split(RawData, "II ")[1], " ")
| extend Date = todatetime(strcat(Split[0], " ", Split[1]))
| project Date;
union DD, II
Here is this working sample.
Result:
- Cannot add data to a ComplexField using Python SDK for Azure AI Search
- letsencrypt cert request failing for AKS ingress
- Playwright Test execution on Azure Windows machine fails in pipeline with error as No test found, It works perfectly with same command
- How to Combining PowerShell Output from multiple server to Single csv
- How can I find all Azure app registrations with API permissions to a specific app registration?
- Azure Deployment Groups vs Agent Pools
- I cannot extract .sql CREATE TABLEs for each table in my Azure SQL Database in my Azure Repo
- Can not read blobs through BlobContainerClient for blobs with empty folder prefixes
- Are task logs deleted when the node is deleted due to autoscaling in Azure Batch service?
- Azure Function Blob Storage Monitor
- I want to fetch Azure SQL table data from ADF to use as input in copy activity
- How to access code of my Azure website?
- Run JMeter script in AzureDevOps - Bearer Access Token generation
- Azure Function - HTTP trigger request length exceeded
- How and where to define an environment variable on Azure
- Stream Analytics doesn't output the data to SQL but does to a blob storage
- While Hierarchical namespace enabled cannot upload blob with metadata hdi_isfolder
- Cannot log in to Visual Studio Account in VS 2022
- SchemaColumnConvertNotSupportedException: column: [Col_Name], physicalType: INT64, logicalType: string
- create Azure Keyvault secret without exposing values
- Can you create 'User Flows' in Azure with a pay-as-you-go account
- Deploy ARM template at management group scope with Azure DevOps Pipeline
- How to make an azure function that deploys my bicep script from Azure Storage Account
- Basic SQL commands in Terraform
- Can we Deploy Web Application in Azure OpenAI of Production Level
- Get-MgGroupMember by display name instead of userID
- Azure DevOps REST API parent relation link to existing work item error
- What should be put to 'repoOwners' in Managed Identity Federated Credentials policy?
- How to get list of users from CSV file whose LastSignInDate column has a date that is before 90 days from current date or is empty?
- Langchain cannot connect with Azure SQL Database