Reputation: 13
Azure Kusto Query to trim multiple parts of a string
I'm using a KQL query in Azure to create a Sentinel alert.
I can't workout how to trim a string to show the data between the third instance of the " character and the first instance of (
I've tried to use a trim_start/ trim_end and also a split command but keep getting regex problems.
An example of the string is [ "HOSTNAME", "Test User ([email protected])" ]
I'd like to either extract Test User from the string or HOSTNAME, Test User and [email protected] into separate fields.
Any help or pointers in the right direction would be appreciated
Upvotes: 1
Views: 3239
Answers (2)
Reputation: 133
parse-where is good for this, too.
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/parsewhereoperator
Upvotes: 0
Reputation: 25895
you could use the parse operator.
for example:
print input = '[ "HOSTNAME", "Test User ([email protected])" ]'
| parse input with * '"' host_name '"' * '"' user_name ' (' email_address ')' *
| input | host_name | user_name | email_address |
|---|---|---|---|
| [ "HOSTNAME", "Test User ([email protected])" ] | HOSTNAME | Test User | [email protected] |
Upvotes: 1
Related Questions
- Kusto Query Language - Extract all between two Characters
- KQL/Kusto - how to get String between conditions
- Match partial string from list with field
- Kusto query for email filtering with regex
- Azure Kusto Query to trim the name of a full Azure Resource ID
- How do you do a distinct query with a criteria to find a specific substring in Kusto?
- Substring search on one column from the column of another table without IN operator
- How to use Regex in kusto query
- Kusto - How to trim set of characters before a condition
- How do I write a Kusto query that uses a regex to filter on a where clause