Share via

Kusto: regex returns incorrect results

Dominik Britz 21 Reputation points
2022-08-30T06:56:39.467+00:00

Hi all,

I've created a Kusto search that uses the regex command. The search worked flawlessly until a few days back. I'm now getting results which do not match the regex query.

The regex query should only return computers starting with HYPERV, DC, GW, SPLUNK, or SQL. However, other machines are returned, too. See screenshot.

236021-fjidfxk8uj.png

When I remove |^DC* from the regex query, the three machines are no longer returned. But, I'm then missing any machines starting with DC, too, of course.

Any ideas?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,037 questions
0 comments
Accepted answer
  1. David Broggy 5,701 Reputation points MVP
    2022-08-30T13:58:07.07+00:00

    From my experience, a wildcard by itself isn't correct, it should be ".*".
    The star usually means "match the previous character 1 or more times".
    By adding a dot you're saying "match any character 1 or more times".
    You don't even need the wildcard for what you're trying to do.

    Try testing your regex'es at regex101.com or any online regex site.

    Matches:
    236118-image.png

    Doesn't Match:
    236107-image.png

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Maxim Sergeev 6,566 Reputation points Microsoft Employee
    2022-08-30T07:09:19.797+00:00

    It's weird, your query looks correct. Open a support ticket please

  2. David Broggy 5,701 Reputation points MVP
    2022-08-30T13:48:07.097+00:00

    Hi Dominik,
    I don't understand your use of the wildcard.
    I would either remove the wildcard entirely or use ".*" (one or more string matches)
    You shouldn't need the wildcard, IMO.

    0 comments