Forum Discussion
How to remove string quotes and other things from the parsed syslog message
Hello Sentinel Community, We are ingesting Azure database for Postgresql logs into the log analytical workspace and tried to retrieve the values from the Postgresql log Message coulumn. However, we ...
I would suggest looking at a Regex string to remove the unneeded characters (Regex syntax - Kusto | Microsoft Learn)
Gary is correct (as always), you can also just trim the data as well, not as elegant but useful. I think you also need to add: "," * at the end of the parse to just get the database name.
let Message = '"Message: 2025-01-22 09:53:35 UTC-6790c01f.259e-FATAL: no pg_hba.conf entry for host "10.150.48.4", user "email address removed for privacy reasons", database "prodxxxx0424", no encryption"';
Usage | take 1
|parse kind=relaxed Message with * "host" Source_IP "user" UserName "database" DatabaseName "," *
|project SourceIP=trim(@"[^\w]+",Source_IP) , UserName=trim(@"[^\w]+",UserName), Database=trim(@"[^\w]+",DatabaseName)
