Forum Discussion

Iron Contributor

Jul 24, 2018

Parsing comma separated values

We're using a Syslog to get data to Log Analytics from some devices. This works perfectly and places the relevant data we need in the "Syslogmessage" column in "Syslog". I'm trying to use the parse c...

azure monitor

Query Language

ScottAllison

Iron Contributor

Jul 25, 2018

I found a way:

Syslog
| extend msgArr=split(SyslogMessage, ",")
| project Receive_Time=msgArr[0],
Serial_Number=msgArr[1],
Type=msgArr[2],
Subtype=msgArr[3],
FUTURE_USE1=msgArr[4],
Generated_Time=msgArr[5],
Virtual_System=msgArr[6],
Event_ID=msgArr[7],
Object=msgArr[8],
FUTURE_USE2=msgArr[9],
FUTURE_USE3=msgArr[10],
Module=msgArr[11],
Severity=msgArr[12],
Description=msgArr[13],
Sequence_Number=msgArr[14],
Action_Flags=msgArr[15],
Device_Group_Hierarchy_Level_1=msgArr[16],
Device_Group_Hierarchy_Level_2=msgArr[17],
Device_Group_Hierarchy_Level_3=msgArr[18],
Device_Group_Hierarchy_Level_4=msgArr[19],
Virtual_System_Name=msgArr[20],
Device_Name=msgArr[21]

However, occasionally I have a Syslog message that comes in that has an extra comma in a field, which pushes the other columns over. Still trying to work through that.