This tutorial shows how to extract useful fields from JSON strings in Advanced Hunting using Kusto Query Language. It explains JSON basics (key-value pairs in quotes, lists in brackets) and points out that most hunting columns are scalar, but some—like AdditionalFields—contain packed JSON that’s hard to work with in a grid. The demo converts the JSON string into a dynamic value using parse_json (also known as todynamic), then uses dotted notation to extend individual members into new columns (for example, pulling out ClassName, ClassId, DeviceId, DeviceDescription, and VendorIds). It also notes an important limitation: you can’t summarize/aggregate on dynamic values, but you can convert back to string with tostring when needed. To make the extraction cleaner, it demonstrates bag_unpack as a simpler way to expand all members into columns, and solves duplicate-column-name errors by using the bag_unpack prefix parameter (adding a prefix like AdditionalFields to each unpacked field).
We produced this as a compact “learn one trick, unlock a lot” tutorial. The visuals are deliberately close on the result grid and query edits so viewers can follow the transformation from unreadable blob to usable columns, and the pacing slows briefly on the two gotchas that actually bite people (dynamic type behavior and name collisions). Final delivery includes closed captions, audio description, and thumbnails.
The inevitable sequels
Hollywood keeps stretching good ideas into progressively worse sequels. We don’t. These are the related videos—spiritual siblings of the one you just watched—as good or better than this video. Expect callbacks, new plot twists, and maybe even a scene-stealing cameo from a lower third.
