Hi,

I need to parse events strings that begins with a date having this format: M D HH:MI:SS

Example now is : 'Mar 9 09:51:35' (Paristime)

Here is an example of a kql request explaining my issue:

let Traces = datatable(EventText:string)
[
'Mar 8 14:39:35 my.host.name CustomSTR[42]: "1" "2"',
'Mar 7 14:13:41 another.name.test AnotherStr[24]: "3" "4"'
];
Traces
| parse EventText with Time:string " " Host:string " " Product:string "[" PID:int "]: \"" idA:int "\" \"" idB:int "\""
| project Time, Host, Product, PID, idA, idB

And here ise the result :

You see the problem ?

For example for the first row I expect this result

• Time: Mar 8 14:39:35
• Host: my.host.name
• Product: CustomSTR
• PID: 42
• idA: 1
• idB: 2

I also tried to use datetime type to correctly parse Time:

let Traces = datatable(EventText:string)
[
'Mar 8 14:39:35 my.host.name CustomSTR[42]: "1" "2"',
'Mar 7 14:13:41 another.name.test AnotherStr[24]: "3" "4"'
];
Traces  
| parse EventText with Time:datetime  " " Host:string  " " Product:string "[" PID:int "]: \"" idA:int "\" \"" idB:int "\""
| project Time, Host, Product, PID, idA, idB

But it does not parse anything...

I am wondering if there is a possibility to use a regex instead of the string/datetime types. (that regex would match my time : [\w]{2,3}\s[\d]{2}\s[\d]{2}:[\d]{2}:[\d]{2} )

Many thanks for your help ! :)