Forum Discussion

CloudMe's avatar
CloudMe
Copper Contributor
Sep 30, 2019

parsing two options in the same cell?

Hi,

 

I need to parse for usernames that can appear under different text context in the same cell.

Is it possible to check for different variants in the same cell and stop on the first match?

 

This is obviously not working but explains my question:

| parse Message with *"ABC" UserName "DEF"* or *"GHI" UserName "JKL"*
 
Thank You.
  • CloudMe 

     

    Assuming the word "from" is the final word in this column the:

     

    let msg = datatable (Date:date, Message:string)
    [
    datetime(2019-09-29),"Failed password for  testperson from",
    datetime(2019-09-29),"Failed password for invalid user clive from",
    datetime(2019-09-30),"Failed password for testuser from",
    datetime(2019-09-30),"Failed password fakeuser from"
    ];
    msg
    | extend txtArray =split(Message, " ")   // split the column if we see a <space> into an array
    | extend posArray = array_length(txtArray) -2   // Now calculate the positionin the array of the 2nd to last entry (the word before "from")
    | extend UserName = trim(@"[^\w]+",tostring(split(txtArray[posArray]," "))) // clean the text (non Alpha chars) and get the 2nd to last entry 
    

     

     

    Date Message txtArray posArray UserName
    2019-09-29T00:00:00Z Failed password for testperson from ["Failed","password","for","","testperson","from"] 4 testperson
    2019-09-29T00:00:00Z Failed password for invalid user clive from ["Failed","password","for","invalid","user","clive","from"] 5 clive
    2019-09-30T00:00:00Z Failed password for testuser from ["Failed","password","for","testuser","from"] 3 testuser
    2019-09-30T00:00:00Z Failed password fakeuser from ["Failed","password","fakeuser","from"] 2 fakeuser

     

     

    • CloudMe's avatar
      CloudMe
      Copper Contributor

      CliveWatson 

       

      Its a SyslogMessage that contains failed authentication info and can come in two types.

       

      Failed password for invalid user UserName from

      or

      Failed password for UserName from

       

      i need to parse the UserName for my next actions regardless of the message type but put it in only one variable(UserName).

       

      • CliveWatson's avatar
        CliveWatson
        Icon for Microsoft rankMicrosoft

        CloudMe 

         

        Assuming the word "from" is the final word in this column the:

         

        let msg = datatable (Date:date, Message:string)
        [
        datetime(2019-09-29),"Failed password for  testperson from",
        datetime(2019-09-29),"Failed password for invalid user clive from",
        datetime(2019-09-30),"Failed password for testuser from",
        datetime(2019-09-30),"Failed password fakeuser from"
        ];
        msg
        | extend txtArray =split(Message, " ")   // split the column if we see a <space> into an array
        | extend posArray = array_length(txtArray) -2   // Now calculate the positionin the array of the 2nd to last entry (the word before "from")
        | extend UserName = trim(@"[^\w]+",tostring(split(txtArray[posArray]," "))) // clean the text (non Alpha chars) and get the 2nd to last entry 
        

         

         

        Date Message txtArray posArray UserName
        2019-09-29T00:00:00Z Failed password for testperson from ["Failed","password","for","","testperson","from"] 4 testperson
        2019-09-29T00:00:00Z Failed password for invalid user clive from ["Failed","password","for","invalid","user","clive","from"] 5 clive
        2019-09-30T00:00:00Z Failed password for testuser from ["Failed","password","for","testuser","from"] 3 testuser
        2019-09-30T00:00:00Z Failed password fakeuser from ["Failed","password","fakeuser","from"] 2 fakeuser

         

         

Resources