KQL - extract values from SyslogMessage - How to?

Georgi Palazov 286 Reputation points
2022-06-24T12:49:02.98+00:00

Hello,

I want to extract some information from a SyslogMessage in KQL.

Let's assume i have the following Syslog Message:
"002E0102","A":"002E","O":"NetIQ Access Manager\nidp"

I managed to extract the first half - 002E0102 with:

| extend NetIQId = extract(@"\d\d\d[a-zA-Z]\d\d\d\d",0,SyslogMessage)

This is not the whole message,however i want to extract i.e where it says NetIQ Access Manager

  1. how do I achieve that and what is the syntax?
  2. i took and example from another query, but i'm wondering why should the regex part from extract should start with @

Thank you!
I'm very new to regex, maybe even the first half i extracted might be extracted easier,who knows..

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,798 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
975 questions
0 comments
Accepted answer
  1. Andrew Blumhardt 9,491 Reputation points Microsoft Employee
    2022-06-24T13:35:57.773+00:00

    First, since the Syslog table contains many log types, make sure to isolate this particular format. Your initial where-statements need to isolate this log format from the others by some identifying aspect.

    There are several ways to parse depending on the format. A regex filter may not be necessary.

    If the data is delineated you can 'split' the data into a array and call the index number to extract the target value:

    Syslog
    | extend Vendor = split(SyslogMessage, ",").[4]

    If there is no delineation you can use parse:

    Syslog
    | parse SyslogMessage with * "Before_Text" NewColumnName"After_Text" *

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Georgi Palazov 286 Reputation points
    2022-06-24T13:42:14.757+00:00

    ive input a filter

    Syslog
    | where SyslogMessage contains "Access Manager"
    |take 10

    what i'm looking for is extracting,i.e NetIQ Access Manager from SyslogMessage with extract() example from above

    "002E0102","A":"002E","O":"NetIQ Access Manager\nidp"

    0 comments
  2. Andrew Blumhardt 9,491 Reputation points Microsoft Employee
    2022-06-25T06:08:07.657+00:00

    Just a thought. Why parse Access Manager if you know it contains Access Manger? For example:

    Syslog
    | where SyslogMessage contains "Access Manager"
    | project Product = "NetIQ Access Manager"

    I was just demonstrating options earlier. To fully parse with split you might need two passes:

    Syslog
    | extend P1 = split(SyslogMessage, "\"").[9]
    | extend P2 = split(P1, "\").[0]

    Or maybe something like this:

    Syslog
    | parse SyslogMessage with * "O\":\"" Product "\" *

    0 comments