dynamic
The KQL dynamic type for semi-structured JSON-like data
The dynamic type holds JSON-like semi-structured data. A dynamic value can be:
- A scalar value (string, number, bool, null, datetime, timespan, guid)
- An array of dynamic values
- A property bag (object) mapping string keys to dynamic values
print arr = dynamic([1, 2, 3])
print obj = dynamic({"name": "Alice", "age": 30})
print nested = dynamic({"tags": ["a", "b"], "meta": {"version": 1}})Accessing Fields
Use dot notation or bracket notation to access nested fields:
T | where d.http.status_code >= 500
T | where d["http"]["method"] == "POST"Accessing a field that doesn't exist returns null (not an error).
Arrays
Access array elements by index (zero-based):
T | extend first = arr[0]
T | extend last = arr[-1]Use array_length() to get the size, and mv-expand to flatten array elements into separate rows:
T | mv-expand tag = tags
| summarize count() by tostring(tag)Property Bags
Property bags are unordered key-value maps. Use bag_keys() to list keys and bag_pack() to construct them:
T | extend keys = bag_keys(d)
T | extend info = bag_pack("name", name, "id", id)Parsing JSON Strings
If your data arrives as a JSON string, convert it to dynamic with parse_json():
T | extend payload = parse_json(raw_json)
| where payload.status == "error"Dynamic and Null
A dynamic value can be null at any level. Chained field access is null-safe — if any intermediate field is null, the entire expression evaluates to null:
// If d.http is null, d.http.method is also null (no error)
T | where isnotnull(d.http.method)Type Coercion
When you use a dynamic value in a typed context, KQL coerces it automatically. For explicit conversion, use tostring(), tolong(), todatetime(), etc:
T | extend status_code = toint(d.http.status_code)
| where status_code >= 400