Connect with experts and redefine what’s possible at work – join us at the Microsoft 365 Community Conference May 6-8. Learn more >

Forum Discussion

Copper Contributor

Aug 15, 2023

Solved

Extract from syslog

Hello can someone please help me with extract regex expression? I have syslog message that have this structure 1692086254.870677475 XXXXXX flows src=XXXX dst=XXXXX protocol=tcp sport=58296 dport=44...

Marek Stelcik
Aug 18, 2023
This works
pattern = extract(@'pattern: \"?(\w+)\"?', 1, SyslogMessage),

raphaelcustodiosoares

Iron Contributor

Aug 15, 2023

Hello

try

Syslog
| where has("pattern") and (tostring(dynamic(["allow", "deny"]) in tostring(pattern)))
| project Timestamp, src, dst, protocol, sport, dport, pattern

Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.

Copper Contributor

Aug 16, 2023

raphaelcustodiosoares

unfortunately it does not work for me:

Query could not be parsed at 'has' on line [2,8] Token: has Line: 2 Position: 8 Request id: 2e66e81d-d5e5-412c-9130-6d27512cd854

Marek Stelcik
Copper Contributor
Aug 18, 2023
This works
pattern = extract(@'pattern: \"?(\w+)\"?', 1, SyslogMessage),

Share

Resources