Forum Discussion
Solved
Extract from syslog
Hello can someone please help me with extract regex expression? I have syslog message that have this structure 1692086254.870677475 XXXXXX flows src=XXXX dst=XXXXX protocol=tcp sport=58296 dport=44...
- This works
pattern = extract(@'pattern: \"?(\w+)\"?', 1, SyslogMessage),
Hello
try
Syslog
| where has("pattern") and (tostring(dynamic(["allow", "deny"]) in tostring(pattern)))
| project Timestamp, src, dst, protocol, sport, dport, pattern
Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.
unfortunately it does not work for me:
Query could not be parsed at 'has' on line [2,8] Token: has Line: 2 Position: 8 Request id: 2e66e81d-d5e5-412c-9130-6d27512cd854
- This works
pattern = extract(@'pattern: \"?(\w+)\"?', 1, SyslogMessage),
