Share via

Parse data from a field using KQL

AzureSent-0127 41 Reputation points
2023-05-22T20:10:18.9266667+00:00

How can I extract (parse out) pieces of data from a field and then put them in their own dedicated column in KQL? (Please see attached image for details)Syslog_Parsing

Azure Data Explorer
Azure Data Explorer
An Azure data analytics service for real-time analysis on large volumes of data streaming from sources including applications, websites, and internet of things devices.
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Samy Abdul 3,376 Reputation points
    2023-05-23T06:22:15.01+00:00

    Hi @AzureSent-0127 , parse operator would be the thing you should be looking at :

    Syntax

    T | parse [ kind=kind [ flags=regexFlags ]] expression with [ * ] stringConstant columnName [: columnType] [ * ] , ...

    Please go through below link for further details:

    https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/parseoperator#syntax Thanks

  2. Tom 20 Reputation points
    2023-05-25T13:59:20.9333333+00:00

    i'm using a log analytics workspace, and KQL to retrieve / troubleshoot. In the ResultDescription column I have a string. I want to extract data and put them (extend) in there own column. The accountname and Caller Computer Name, could someone help me out?

    Best Regards,

    Onedutch

    log analytics workspace Screenshot 2023-05-25 155247

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.