Forum Discussion

andrew_bryant's avatar
andrew_bryant
Brass Contributor
Aug 20, 2019
Solved

Kusto question

Importing event logs into workspace that have a property like the following:   <Param>1</Param><Param>2</Param><Param>3</Param><Param>4</Param><Param>5</Param>   We are interested in the ...
  • CliveWatson's avatar
    CliveWatson
    Aug 20, 2019

    Hi andrew_bryant 

     

    Are you asking about parsing?  Example:

     

    print txt = "<Param>1</Param><Param>2</Param><Param>3</Param><Param>4</Param><Param>5</Param>"
| parse txt with *"<Param>2</" p2 "><Param>3"*

     

    Go to Log Analytics and Run Query

    txt p2
    12345

    Param
     
CliveWatson's avatar
CliveWatson
Icon for Microsoft rankMicrosoft
Aug 20, 2019

Hi andrew_bryant 

 

Are you asking about parsing?  Example:

 

print txt = "<Param>1</Param><Param>2</Param><Param>3</Param><Param>4</Param><Param>5</Param>"
| parse txt with *"<Param>2</" p2 "><Param>3"*

 

Go to Log Analytics and Run Query

txt p2
12345

Param
 
andrew_bryant's avatar
andrew_bryant
Brass Contributor
Aug 22, 2019

CliveWatson 

 

This was what I was looking for.  Here is the query I ended up using:

 
Event
| parse ParameterXml with * "<Param>" SChannel "</Param><Param>" Username "</Param><Param>" domain "</Param><Param>" Workstation "</Param><Param>" channeltype


The event log source was NTLM operational log from DCs auditing NTLM requests.

Resources