Forum Discussion

andrew_bryant's avatar
andrew_bryant
Brass Contributor
Apr 15, 2020

Kusto Regex Matches

I'm trying write a query that will match logs where a field contains any domain other than our own.  This is what I have tried:   | where Recipient matches regex @"(@(?!ourdomain)[A-Za-z0-9]+(.))"...
Col_Sanders's avatar
Col_Sanders
Copper Contributor
Sep 02, 2020

andrew_bryant do you have any updates on this matches regex issue?

I seem to have run into it trying to implement two Sentinel query templates which use this function, 

e.g. this one

I also note an overnight post by another contributor which looks like a similar issue to me ...

 

 

 

 

  • Col_Sanders's avatar
    Col_Sanders
    Copper Contributor
    Sep 08, 2020

    Col_Sanders In case anyone else stumbles on this I'll just post my own fix/discovery for this.
    Turned out that whenever I used Intelli-sense to insert matches I would get the syntax error.

    By manually typing the word matches , no syntax error would occur!

  • CliveWatson's avatar
    CliveWatson
    Former Employee
    Sep 02, 2020

    Col_Sanders andrew_bryant 

     

    This would ignore your domain 

    let Recepient = "This fake fakeperson@fake.com"; 
print Recepient
| extend ourDom = iif(not(Recepient matches regex @"([A-Za-z0-9]*ourdomain.com)"), 
                    extract (@"([A-Za-z0-9]*.com)",0,Recepient),
                    "Matched to ourdomain.com") 
| project ourDom

     

     

Resources