Forum Discussion
User defined function for Log analytics custom log cannot parse the RawData
let RemoveBracket = (RawData:string)
{ substring(RawData, 1, indexof(RawData, "]", 1)-1) } ;
let BodyIndex = (RawData:string)
{ toint( strlen(RawData)-indexof(RawData, "]", 1) ) } ;
CloudAppEvents
| extend head = RemoveBracket(RawEventData)
| extend headSplit = split(head, "|")
| extend body = substring(RawEventData, indexof(RawEventData, "]", 1)+1, BodyIndex(RawEventData))
| extend TimeStamp=headSplit[0], Sev=headSplit[1], method=headSplit[2], VMSS=headSplit[3], svr=headSplit[4], AOD=headSplit[5], Result=headSplit[6], msg=headSplit[7], body
//| where VMSS contains "qa"
| project TimeStamp, Sev, method, VMSS, svr, AOD, Result, msg, body
| limit 100
| where isnotempty(TimeStamp)
Clive_Watson
Hello Watson, thank you for your comment.It works when I attached those two "let" functions.
However, the point is that the query does not work if I defined separately those two fucntion and tried to call rather than define on top of the query.
Means, I defined "RemoveBracket" and "BodyIndex" as saved functions and use below query,appdocrootlogs_CL
| extend head = RemoveBracket(RawData)
| extend headSplit = split(head, "|")
| extend body = substring(RawData, indexof(RawData, "]", 1)+1, BodyIndex(RawData))
| project TimeStamp=headSplit[0], Sev=headSplit[1], method=headSplit[2], VMSS=headSplit[3], svr=headSplit[4], AOD=headSplit[5], Result=headSplit[6], msg=headSplit[7], bodythe function call generates error.
Can you also try to define those two function separately and tried to use?
