How to extract fields from Custom logs raw data?

Hi, I have created a custom log that collects failed login details. The raw data contains the Latitude, longitude, destination host, IP address, etc. I want to separate these into their respective f...

Adeelaziz

Brass Contributor

Apr 05, 2024

In my opinion, the simplest solution here is to use project.

FAILED_RDP_WITH_GEO_CL
| project TimeGenerated, Computer, RawData, Type

Clive_Watson

Bronze Contributor

Apr 08, 2024

Adeelaziz

project would only show the column "as is", you'd need to parse the data ideally (if you dont use a transformation).

e.g.

let dt_ = datatable (RawData:string)
[
"latitude:47.91542,longitude:120.60306,destinationhost:sample,username:fakeuser"
"latitude:47.91524,longitude:120.70306,destinationhost:sample2,username:fakeuser2"
];
dt_
| parse-kv RawData as (latitude:string, longitude:string, destinationhost:string, username:string)  with (pair_delimiter=',', kv_delimiter=':')

parse-kv would work well here

Forum Discussion

How to extract fields from Custom logs raw data?

Resources