Forum Discussion
Syslog parsing issue - extra comma
I've been trying to correctly parse a log using Syslog, but I am stuck. One of the fields sometimes contains a comma as part of a message, and this breaks my split() because the comma is the delimite...
Hi,
I think the best you can do is to remove the comma from the message before using split.
Syslog | where SyslogMessage contains ",system," | extend SyslogMessage = replace(@',', @' ', SyslogMessage ) | extend msgArr=split(SyslogMessage, ",") | project TimeGenerated, Description=msgArr[13], Action_Flags=msgArr[15], msgArr
Let me know if this helps!
You can also try to replace it with some specific character and after you've used split to use replace again to return the comma in case it is important for the end results.