Forum Discussion
hrishidahale
Jul 20, 2023Copper Contributor
How to extract fields from Custom logs raw data?
Hi,
I have created a custom log that collects failed login details. The raw data contains the Latitude, longitude, destination host, IP address, etc. I want to separate these into their respective fields. I have attached the screenshot. Please Help
- AdeelazizBrass ContributorIn my opinion, the simplest solution here is to use project.
FAILED_RDP_WITH_GEO_CL
| project TimeGenerated, Computer, RawData, Type- Clive_WatsonBronze Contributor
project would only show the column "as is", you'd need to parse the data ideally (if you dont use a transformation).
e.g.let dt_ = datatable (RawData:string) [ "latitude:47.91542,longitude:120.60306,destinationhost:sample,username:fakeuser" "latitude:47.91524,longitude:120.70306,destinationhost:sample2,username:fakeuser2" ]; dt_ | parse-kv RawData as (latitude:string, longitude:string, destinationhost:string, username:string) with (pair_delimiter=',', kv_delimiter=':')
parse-kv would work well here
- shreyashhireCopper Contributor
hrishidahale Did you get solution for this ? I am facing same issue
- josecons
Microsoft
Hi shreyashhire, as mentioned on the previous reply, the way forward is to use transformations.
Just make sure the table is a supported table as per: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-transformations#supported-tables
- Jong_Ho_Ham
Microsoft
Give it a try "Transformations". If you are struggle to implement it, please open a support ticket to get help.
Data collection transformations - Azure Monitor | Microsoft Learn