Forum Discussion
CloudMe
Sep 30, 2019Copper Contributor
parsing two options in the same cell?
Hi,
I need to parse for usernames that can appear under different text context in the same cell.
Is it possible to check for different variants in the same cell and stop on the first match?
This is obviously not working but explains my question:
| parse Message with *"ABC" UserName "DEF"* or *"GHI" UserName "JKL"*
Thank You.
Assuming the word "from" is the final word in this column the:
let msg = datatable (Date:date, Message:string) [ datetime(2019-09-29),"Failed password for testperson from", datetime(2019-09-29),"Failed password for invalid user clive from", datetime(2019-09-30),"Failed password for testuser from", datetime(2019-09-30),"Failed password fakeuser from" ]; msg | extend txtArray =split(Message, " ") // split the column if we see a <space> into an array | extend posArray = array_length(txtArray) -2 // Now calculate the positionin the array of the 2nd to last entry (the word before "from") | extend UserName = trim(@"[^\w]+",tostring(split(txtArray[posArray]," "))) // clean the text (non Alpha chars) and get the 2nd to last entry
Date Message txtArray posArray UserName 2019-09-29T00:00:00Z Failed password for testperson from ["Failed","password","for","","testperson","from"] 4 testperson 2019-09-29T00:00:00Z Failed password for invalid user clive from ["Failed","password","for","invalid","user","clive","from"] 5 clive 2019-09-30T00:00:00Z Failed password for testuser from ["Failed","password","for","testuser","from"] 3 testuser 2019-09-30T00:00:00Z Failed password fakeuser from ["Failed","password","fakeuser","from"] 2 fakeuser
- CliveWatson
Microsoft
What does the column 'Message' actaulyly look like look like? Can you provide some examples of the contents?
e.g.
print Message = "ABCyyyyDEFGHIzzzzJKL"orprint Message = "ABCDEFGHIzzzzJKL"or use a datatablelet msg = datatable (Message:string) [ "ABCyyyyDEFGHIzzzzJKLMNOaaaaaPQR" ]; msg
- CloudMeCopper Contributor
Its a SyslogMessage that contains failed authentication info and can come in two types.
Failed password for invalid user UserName from
or
Failed password for UserName from
i need to parse the UserName for my next actions regardless of the message type but put it in only one variable(UserName).
- CliveWatson
Microsoft
Assuming the word "from" is the final word in this column the:
let msg = datatable (Date:date, Message:string) [ datetime(2019-09-29),"Failed password for testperson from", datetime(2019-09-29),"Failed password for invalid user clive from", datetime(2019-09-30),"Failed password for testuser from", datetime(2019-09-30),"Failed password fakeuser from" ]; msg | extend txtArray =split(Message, " ") // split the column if we see a <space> into an array | extend posArray = array_length(txtArray) -2 // Now calculate the positionin the array of the 2nd to last entry (the word before "from") | extend UserName = trim(@"[^\w]+",tostring(split(txtArray[posArray]," "))) // clean the text (non Alpha chars) and get the 2nd to last entry
Date Message txtArray posArray UserName 2019-09-29T00:00:00Z Failed password for testperson from ["Failed","password","for","","testperson","from"] 4 testperson 2019-09-29T00:00:00Z Failed password for invalid user clive from ["Failed","password","for","invalid","user","clive","from"] 5 clive 2019-09-30T00:00:00Z Failed password for testuser from ["Failed","password","for","testuser","from"] 3 testuser 2019-09-30T00:00:00Z Failed password fakeuser from ["Failed","password","fakeuser","from"] 2 fakeuser