floopsandRoot
Reputation: 69
Regex/KQL - Parse/Extract from Distinguished Name
In Az Log Analytics, I am wanting to extract information from A DN
cn=User One,OU=Accounts,OU=Administrative,DC=internal,DC=local,DC=com
The goal is to extend to new columns: User = User One, Domain = internal.local.com
Haven't been able to find a good example to recreate this from in Kusto.
Upvotes: 1
Views: 730
Answers (1)
Yoni L.
Reputation: 25895
you could use the parse operator:
print input = 'cn=User One,OU=Accounts,OU=Administrative,DC=internal,DC=local,DC=com'
| parse input with "cn=" User "," * "DC=" d1 ",DC=" d2 ",DC=" d3
| project input, User, Domain = strcat_delim(".", d1, d2, d3)
| input | User | Domain |
|---|---|---|
| cn=User One,OU=Accounts,OU=Administrative,DC=internal,DC=local,DC=com | User One | internal.local.com |
Or, if there is a variable number of occurrences of DC=:
datatable(input:string) [
'cn=User One,OU=Accounts,OU=Administrative,DC=internal,DC=local,DC=com',
'cn=User One,OU=Accounts,OU=Administrative,DC=internal,DC=com',
]
| parse input with "cn=" User "," * ",DC=" Domain
| extend Domain = replace_string(Domain, ",DC=", ".")
| input | User | Domain |
|---|---|---|
| cn=User One,OU=Accounts,OU=Administrative,DC=internal,DC=local,DC=com | User One | internal.local.com |
| cn=User One,OU=Accounts,OU=Administrative,DC=internal,DC=com | User One | internal.com |
Upvotes: 1
Related Questions
- Extracting a value from all string records in a column Kusto?
- azure kql parse function - unable to parse ? using regex (zero or one time)
- Azure Data Explorer, Kusto: Replace regex question
- Azure KQL Regex capture of sentence with extract_all() for named capture groups
- Regex Match with Square Bracket and letters
- Regex Match Kusto
- Split column string with delimiters into separate columns in azure kusto
- Kusto - Extract string field into new columns using parse operator
- Parse data in Kusto
- Azure Data Explorer, Kusto: regex not semantically correct in extract()