I am using the following query to monitor Azure WAF, it works fine but I want to filter out custom rule hits from the query and only show blocks by MSFT Default Rulesets but I cannot find how to do that
The following query show blocks from custom rules AND MSFT default rules, I want to only show MSFT default rule set blocks
I understand I can exclude the name or all my custom rules but that will be difficult to maintain
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorWebApplicationFirewallLog"
| where action_s == "Block"
| where requestUri_s contains "xxx" or requestUri_s contains "xxx" or requestUri_s contains "xxx" or requestUri_s contains "xxx" or requestUri_s contains "xxx" or requestUri_s contains "xxx"
| extend ParsedUrl = parseurl(requestUri_s)
| summarize BlockCount = count() by TimeStamp = bin(TimeGenerated, 3h), ClientIP = clientIP_s, RuleName = ruleName_s, Host = host_s, PATH = tostring(ParsedUrl.Path)
| order by TimeStamp desc
Related
Just trying to use a pre-existing "Slowest queries - top 5" from Azure log analytics for postgres flexible server. The query that is provided is:
// Slowest queries
// Identify top 5 slowest queries.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL"
| where Category == "QueryStoreRuntimeStatistics"
| where user_id_s != "10" //exclude azure system user
| summarize avg(todouble(mean_time_s)) by event_class_s , db_id_s ,query_id_s
| top 5 by avg_mean_time_s desc
This query results in the error :
'where' operator: Failed to resolve column or scalar expression named 'user_id_s'
If the issue persists, please open a support ticket. Request id: XXXX
I am guessing that something is not configured in order to utilize the user_id_s column. Any assistance is appreciated.
I am expecting you are checking the integer value 10 is not equal to the user_id_s.
In your KQL query user_id_s != "10" .
Thanks # venkateshdodda-msft I am adding your suggestion to help to fix the issue.
If you are using integer in a KQL make sure to remove the " " double quotes.
# using as a integer
| where user_id_s != 10
Or convert the integer into string by using
# converting into string
| extend user_id_s = tostring(Properties.user_id_s)
| where UserId in ('10')
Modified KQL Query
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL"
| where Category == "QueryStoreRuntimeStatistics"
# using as a integer
| where user_id_s != 10 //exclude azure system user
| summarize avg(todouble(mean_time_s)) by event_class_s , db_id_s ,query_id_s
| top 5 by avg_mean_time_s desc
Reference:
Operator failed to resolve table or column expression
Converting integer to string
I have formed this query to get the desired output mentioned below:
select tbl.id, tbl.label, tbl.input_type, tbl.table_name
case when tbl.input_type = 'dropdown' or tbl.input_type = 'searchable-dropdown'
then (select json_agg(opt) from tbl.table_name) as opt) end as options
from mst_config as tbl;
I want output like below:
id | label | input_type | table_name | options
----+----------------------------------------------------+---------------------+-------------------------+-----------------------------------------------------------
1 | Gender | dropdown | mst_gender | [{"id":1,"label":"MALE"},
| | | | {"id":2,"label":"FEMALE"}]
2 | SS | dropdown | mst_ss | [{"id":1,"label":"something"},
| | | | {"id":2,"label_en":"something"}]
But, I'm facing a problem while using,
select json_agg(opt) from tbl.table_name) as opt
In the above part "tbl.table_name", I wanted to use it as dynamic table name but it's not working.
Then, I have searched a lot and found something like Execute format('select * from %s', table_name), where tablename is the dynamic table name. I have even tried the same with postgres function.
But I faced an issue again while using the format method. The reason is I want to use the variable for which the value needs to come from its own main query value instead of already having it in a variable. so this one was also not working.
I would really appreciate if anyone can help me out on this. Also if there are any other possibilities available to achieve this output, help me on that as well.
I've searched for a number of hours now and am unable to figure out how to do this.
I query an MSSQL database that returns 2 columns, one of these values is empty/null but does represent something in the SQL database(I've tested disabling it).
How would I check through what is returned from my query for the empty value and modify this to something else?
$TestQuery = Invoke-Sqlcmd -Database $DB -Query $qcd -ServerInstance "SomeInstance\Instance1" -Verbose
Result:
Activity Setting
-------- -------
All Operation Enabled
Backup Enabled
Restore Enabled
Prune Enabled
Aux Copy Enabled
Schedule Enabled
Archive Check Enabled
Tape Erase Enabled
Offline content Index Enabled
Online Content Index Enabled
Enabled
You can see the last item returned doesn't have a value but does reflect a setting in the application we use, I just want to modify that value to "Value1" for example.
Any help is greatly appreciated, I did try using hashtables but had no idea what I was doing despite several hours of googling.
Edit:
My Query:
SELECT JM.opName AS 'Activity',
CASE action
WHEN 1 THEN 'Disabled'
WHEN 2 THEN 'Enabled'
END AS 'Setting'
FROM JMJobAction AS J
LEFT JOIN JMJobOperationNames JM on JM.opType = J.opType
WHERE clientId = 1
AND appType = 0
AND J.opType != 8
AND appId = 1
You may do the following in PowerShell:
$TestQuery = Invoke-Sqlcmd -Database $DB -Query $qcd -ServerInstance "SomeInstance\Instance1"
$TestQuery |
Where { [string]::IsNullOrEmpty($_.Activity) } | Foreach-Object {
$_.Activity = 'Value1' # Update all empty or nulls with Value1
}
$TestQuery # Contains updated results
Note that this does not update the actual database. You will need a separate query that writes back to the database.
When a database table contains a NULL, it is interpreted as the System.DBNull data type in PowerShell. [System.DBNull]::Value is not the same as $null. So if you only wanted to query for NULL values, then your query could more appropriately be modified to the following:
$TestQuery | Where Activity -is [DBNUll]
I don't know if I understand your question correctly.
I understand that you want to have a default_value when there is no data in a column.
That can be solved in your SQL Query with case. Here an example
[Edit] Based on your added query
SELECT
CASE
WHEN JM.opName is null OR JM.opName = '' THEN "DefaultActivity"
ELSE JM.opName
END AS Activity,
CASE action
WHEN 1 THEN 'Disabled'
WHEN 2 THEN 'Enabled'
END AS 'Setting'
FROM JMJobAction AS J
LEFT JOIN JMJobOperationNames JM on JM.opType = J.opType
WHERE clientId = 1
AND appType = 0
AND J.opType != 8
AND appId = 1
I would like do a left join query in sails.js. I think i should use populate
I have three models
caracteristique{
id,
name,
races:{
collection: 'race',
via: 'idcaracteristique',
through: 'racecaracteristique'
},
}
race{
id,
name,
caracteristiques:{
collection: 'caracteristique',
via: 'idrace',
through: 'racecaracteristique'
}
}
RaceCarecteristique{
idrace: {
model:'race'
},
idcaracteristique: {
model: 'caracteristique'
},
bonusracial:{
type: 'number',
}
My data are:
Table Caracteristiques
id name
1 | strength
2 | dex
3 | Charisme
Table Race
id name
1 | human
2 | Org
TableRaceCarecteristique
idrace idcaracteristique bonusracial
1 | 2 | +2
This sql request give me for human, all caracteristiques and if exist bonusracial
'SELECT caracteristique.id, caracteristique.name, bonusracial
FROM caracteristique
LEFT OUTER JOIN (select idcaracteristique, bonusracial
from racecaracteristique
where idrace=$1 ) as q
ON q.idcaracteristique = caracteristique.id';
I have this result:
caracteristique.id, caracteristique.name, bonusracial
1 | strength | null
2 | dex | 2
3 | Charisme | null
How use populate to do this ?
When using a SQL-database adapter (MySQL, PQSL etc) you can utilise a method for performing actual, handwritten SQL statements. When all else fails, this might be your best bet to find an acceptable solution, within the framework.
The .sendNativeQuery() method sends your parameterized SQL statement to the native driver, and responds with a raw, non-ORM-mangled result. Actual database-schema specific tables and columns appear in the result, so you need to be careful with changes to models etc. as they might change the schema in the backend database.
The method takes two parameters, the parameterized query, and the array of values to be inserted. The array is optional and can be omitted if you have no parameters to replace in the SQL statement.
Using your already parameterized query from above, I'm sending the query to fetch the data for an "org" (orc perhaps?) in the example below. See the docs linked at the bottom.
Code time:
let query = `
SELECT caracteristique.id, caracteristique.name, bonusracial
FROM caracteristique
LEFT OUTER JOIN (select idcaracteristique, bonusracial
from racecaracteristique
where idrace=$1 ) as q
ON q.idcaracteristique = caracteristique.id`;
var rawResult = await sails.sendNativeQuery(query, [ 2 ]);
console.log(rawResult);
Docs: .sendNativeQuery()
I am trying to get a list of security groups. (Successful - Using Get-EC2SecurityGroup)
Get a list of the specific IPPermissions associated with each security group. ( Successful - Using (Get-EC2SecurityGroup).IpPermissions )
Only return results where the FromPort = "xxx" ( Unsuccessful - Not sure how to access the FromPort property that is returned in the result list )
Ultimately what I am trying to accomplish is:
Get a list of existing security groups, and loop through each group.
While looping through each group, call the IpPermissions, and look for the specific FromPort "xxx".
If the FromPort is a match, record the other properties: (FromPort, IpProtocol, IpRanges, ToPort, UserIdGroupPairs)
Problem I am having
I am not sure how to do a loop using the amazon objects
I cant seem to access the properties even though they appear to be named and have values.
I have tried using -Filter with many different iterations, with no success.
The documentation seems self-referencing, and the examples I have run across dont get down to this level of detail.
Results returned from (Get-EC2SecurityGroup).IpPermissions
FromPort : 123
IpProtocol : tcp
IpRanges : {0.0.0.0/0}
ToPort : 123
UserIdGroupPairs : {}
Here's an example that does as you've described:
Filters security group objects by FromPort
Of the matched security groups, output IpProtocol, IpRanges, ToPort, and UserIdGroupPairs.
Code:
# Example using port 22
PS C:\> $port = 22
PS C:\> Get-EC2SecurityGroup |
? { $_.IpPermissions.FromPort -eq $port } |
% { $_.IpPermissions } |
Select -property IpProtocol, IpRanges, ToPort, UserIdGroupPairs
Output:
IpProtocol IpRanges ToPort UserIdGroupPairs
---------- -------- ------ ----------------
tcp {0.0.0.0/0} 22 {}
... ... ... ...