Kusto Query Language: Ep.9 – Parsing Complex Data Types.

Question

Hi all,&nbsp;I am stuck on Question 6 as part of the KQL Parsing Complex Data Types.I have been doing adaptations of the following query to only get a blank AvgTime table each time.&nbsp;&nbsp;Event_CL| where EventData contains "KB2267602"| extend ParsedData = parse_json(EventData)| summarize AvgTime = avg(todatetime(ParsedData["@time"]))I may be missing something obvious or not, but any help would be thankful.&nbsp;

ashleykingscote · Answer

Hey, you're pretty close.Try using `parse_xml` on the EventData, as it's in XML format and not JSON.Then you can summarize the attribute directly like: `summarize avg(todatetime(EventData.DataItem["@time"]))`

calums · Answer

Hi SamDickison​ Not managed to yet with the help above or had time to get back and try again. Will do soon hopefully and get back to you.&nbsp;

calums · Answer

Hey, thank for the help, got me a bit of the way there.

Ended up working with the following:
Event_CL
| extend ParsedXml = parse_xml(EventData)
| where tostring(ParsedXml) contains "KB2267602"
| summarize avg_time = avg(todatetime(ParsedXml.DataItem["@time"]))

But got a value and put it in to be incorrect, did attempt a few variations of it incase it wanted in a certain format.

samdickison · Answer

Hi CalumS​ did you manage to completed the lab?

Forum Discussion

Kusto Query Language: Ep.9 – Parsing Complex Data Types.

4 Replies

Featured Places

Help & Support Forum

Related Content

Kusto Query Language: Ep.7 – String Processing Q4

Application Security Languages

Which languages is Cyber Million available in?

How do you balance scenario complexity against driving clear, actionable steps from an exercise?

Decoding Coding: Picking a Language

Recent Discussions

Microsoft Sentinel: SOAR Demonstrate your skills

Serial Maze Support Group

Kusto Query Language: Ep.7 – String Processing Q4

Pwntools: Ep. 2 Token

Incident Response Suspicious Email Part 2 last Question