Forum Discussion

CloudMe's avatar
CloudMe
Copper Contributor
Sep 30, 2019
Solved

parsing two options in the same cell?

Hi,   I need to parse for usernames that can appear under different text context in the same cell. Is it possible to check for different variants in the same cell and stop on the first match?   ...
azure monitor
Query Language
  • CliveWatson's avatar
    CliveWatson
    Oct 01, 2019

    CloudMe 

     

    Assuming the word "from" is the final word in this column the:

     

    let msg = datatable (Date:date, Message:string)
[
datetime(2019-09-29),"Failed password for  testperson from",
datetime(2019-09-29),"Failed password for invalid user clive from",
datetime(2019-09-30),"Failed password for testuser from",
datetime(2019-09-30),"Failed password fakeuser from"
];
msg
| extend txtArray =split(Message, " ")   // split the column if we see a <space> into an array
| extend posArray = array_length(txtArray) -2   // Now calculate the positionin the array of the 2nd to last entry (the word before "from")
| extend UserName = trim(@"[^\w]+",tostring(split(txtArray[posArray]," "))) // clean the text (non Alpha chars) and get the 2nd to last entry

     

     

    Date Message txtArray posArray UserName
    2019-09-29T00:00:00Z Failed password for testperson from ["Failed","password","for","","testperson","from"] 4 testperson
    2019-09-29T00:00:00Z Failed password for invalid user clive from ["Failed","password","for","invalid","user","clive","from"] 5 clive
    2019-09-30T00:00:00Z Failed password for testuser from ["Failed","password","for","testuser","from"] 3 testuser
    2019-09-30T00:00:00Z Failed password fakeuser from ["Failed","password","fakeuser","from"] 2 fakeuser

     

     

CloudMe's avatar
CloudMe
Copper Contributor
Sep 30, 2019

CliveWatson 

 

Its a SyslogMessage that contains failed authentication info and can come in two types.

 

Failed password for invalid user UserName from

or

Failed password for UserName from

 

i need to parse the UserName for my next actions regardless of the message type but put it in only one variable(UserName).

 

CliveWatson's avatar
CliveWatson
Icon for Microsoft rankMicrosoft
Oct 01, 2019

CloudMe 

 

Assuming the word "from" is the final word in this column the:

 

let msg = datatable (Date:date, Message:string)
[
datetime(2019-09-29),"Failed password for  testperson from",
datetime(2019-09-29),"Failed password for invalid user clive from",
datetime(2019-09-30),"Failed password for testuser from",
datetime(2019-09-30),"Failed password fakeuser from"
];
msg
| extend txtArray =split(Message, " ")   // split the column if we see a <space> into an array
| extend posArray = array_length(txtArray) -2   // Now calculate the positionin the array of the 2nd to last entry (the word before "from")
| extend UserName = trim(@"[^\w]+",tostring(split(txtArray[posArray]," "))) // clean the text (non Alpha chars) and get the 2nd to last entry

 

 

Date Message txtArray posArray UserName
2019-09-29T00:00:00Z Failed password for testperson from ["Failed","password","for","","testperson","from"] 4 testperson
2019-09-29T00:00:00Z Failed password for invalid user clive from ["Failed","password","for","invalid","user","clive","from"] 5 clive
2019-09-30T00:00:00Z Failed password for testuser from ["Failed","password","for","testuser","from"] 3 testuser
2019-09-30T00:00:00Z Failed password fakeuser from ["Failed","password","fakeuser","from"] 2 fakeuser

 

 

  • CloudMe's avatar
    CloudMe
    Copper Contributor
    Oct 01, 2019

    CliveWatson Thank you, I appreciate your time and effort.

Resources