Forum Discussion
andrew_bryant
Aug 20, 2019Brass Contributor
Kusto question
Importing event logs into workspace that have a property like the following:
<Param>1</Param><Param>2</Param><Param>3</Param><Param>4</Param><Param>5</Param> |
We are interested in the second parameter. Is there a query that can distill this down into one property?
Are you asking about parsing? Example:
print txt = "<Param>1</Param><Param>2</Param><Param>3</Param><Param>4</Param><Param>5</Param>" | parse txt with *"<Param>2</" p2 "><Param>3"*
Go to Log Analytics and Run Query
txt p2 12345 Param
- CliveWatsonMicrosoft
Are you asking about parsing? Example:
print txt = "<Param>1</Param><Param>2</Param><Param>3</Param><Param>4</Param><Param>5</Param>" | parse txt with *"<Param>2</" p2 "><Param>3"*
Go to Log Analytics and Run Query
txt p2 12345 Param
- andrew_bryantBrass Contributor
This was what I was looking for. Here is the query I ended up using:
Event| parse ParameterXml with * "<Param>" SChannel "</Param><Param>" Username "</Param><Param>" domain "</Param><Param>" Workstation "</Param><Param>" channeltypeThe event log source was NTLM operational log from DCs auditing NTLM requests.
- Gary BusheyCopper Contributor
andrew_bryant The Sentinel blog had a post a while ago about working with JSON that may help.