How to split the column value to assign for the custom column using kql query in azure log analytics workspace

Question

I have the Azure Function App deployed in Azure Function Cloud App and diagnostic setting is created to send all the logs to Log Analytics workspace.

I'm able to get the result using the below query:

FunctionAppLogs 
| where FunctionName contains "Function2"

Result will be generated with many columns such as TimeGenerated [UTC], ServiceName, Category, Location, Message, HostVersion, FunctionInvocatoinId, FunctionName, HostInstanceId, Level, AppName, RoleInstance, etc.

Here the column Message values will be in below format:

user-service URL is healthy. Status code: [{"message":"Success","status":200},

audit-service URL is healthy. Status code: [{"message":"Success","status":200}

So I want to split the Message and provide that split value to the external (custom) column in the result using above KQL query. I tried with the below query but didn't get how to split it.

FunctionAppLogs 
| where FunctionName contains "Function2"
| extend ServiceName = split(Message, "%-service", 20)

Hence the new custom column ServiceName should have the string values came from Message column such as:

user-service
audit-service

Could anyone help me with the KQL query for splitting the column value and assign to the new column?

Answer 1

I have reproduced in my environment and got expected results as below:

Below is KQL query which worked for me:

Functions
|extend SplitLog = split(Message, " ")
| project ServiceName =SplitLog[0]

Output:

Fiddle.

You can also get other columns like below:

Here Message is column name.