Forum Discussion
Solved
Extracting a file Extension from a syslog message
We are sending syslog messages to Azure Monitor where the message body looks like this: 10.220.200.26,groot-1,"AD\alice",smb2,fs_read_data,ok,123,"/source/folder/file.doc","/target/folder/fil...
- You didn't "extend" / Split first CSVFields
Syslog
//| where ProcessName == 'qumulo'
| extend CSVFields = split(SyslogMessage, ',')
| extend Path1 = tostring(CSVFields[6])
| extend FileExt1 = extract((@"\.[^.\/:*?'<>|\r\n]+$"),1,Path1)
CliveWatson
Microsoft
MicrosoftYou didn't "extend" / Split first CSVFields
Syslog
//| where ProcessName == 'qumulo'
| extend CSVFields = split(SyslogMessage, ',')
| extend Path1 = tostring(CSVFields[6])
| extend FileExt1 = extract((@"\.[^.\/:*?'<>|\r\n]+$"),1,Path1)
Syslog
//| where ProcessName == 'qumulo'
| extend CSVFields = split(SyslogMessage, ',')
| extend Path1 = tostring(CSVFields[6])
| extend FileExt1 = extract((@"\.[^.\/:*?'<>|\r\n]+$"),1,Path1)
CliveWatson Many thanks, Clive !
This solved it (almost). Unfortunately the Path here is stored with "" in the field:
"/this/file.txt" ... so the extract would deliver .txt"
How can I extend Path1 and trimming out the "" ? I did two extends but isn't there an easier way ?
Syslog
| extend CSVFields = split(SyslogMessage, ',')
| extend Path1tmp = tostring(CSVFields[6])
// now strip out the surrounding ""
| extend Path1 = extract((@'"([^"]*)'),1,Path1tmp)
// now extract the file extention from Path1
| extend FileExt1 = extract((@"\.[^.\/:*?'<>|\r\n]+$"),0,Path1)
Any other idea of how I can extract a string without the surrounding " in one step ?
- CliveWatson| extend Path1 = trim(@"[^\w]+",tostring(Path1)) // remove any non word characters
You can add this as the last line, or maybe integrate it into the extract() ?
