Forum Discussion

SamiJ21's avatar
SamiJ21
Copper Contributor
Feb 20, 2020

Negative Lookahead with Regular expression in Kusto Log Analytics

Hello everyone,   I'm trying to extract exceptions within our logs using regular expression. And it happens that I need to perform a negative lookahead to ignore a specific string. The query looks ...
azure monitor
Query Language
SamiJ21's avatar
SamiJ21
Copper Contributor
Feb 20, 2020

Well, I managed to get over it without using regex negative lookhead by using another custom function to skip the non-relevant information. My solution looks like below in case someone else is facing similar case :smile:

let pattern = @'Exception: (.+)\s+Message: ([\S\s]+)\s+Source: ([\S\s]+)';
let standardize = (msg:string) {
    let msg2 = replace(@'"(\S+)"', '"xxx"', msg);
    replace(@"'(\S+)'", '"xxx"', msg2)
};
let getException = (msg: string) {
    case(msg contains "System.Web.HttpUnhandledException", substring(msg, indexof(msg, "Nested Exception") + 17), msg)
};
WebsiteLogs
| where ExceptionMessage contains "System.Web.HttpUnhandledException" or ExceptionMessage contains "[Extra Exception from config]"
| where  TimeGenerated > ago(7d) 
| project   URL,
            Exception=extract(pattern, 1, ExceptionMessage ), 
            Message = standardize(extract(pattern, 2, getException(ExceptionMessage) )),
            StackTrace = substring(extract(pattern, 3, getException(ExceptionMessage )), 0, 500)
| summarize Errors_Count = count() by Message, URL, StackTrace
| sort by Errors_Count desc  nulls last 
| limit 1000

Here, the getException() function just skip the ExceptionMessage till the first Nested Exception for logs containing the System.Web.HttpUnhandledException.

 

Nevertheless, I'm still wondering if regex lookahead is supported or not :smile:

 

 

Resources