Sep 30 2019
04:16 AM
- last edited on
Apr 08 2022
10:08 AM
by
TechCommunityAP
Sep 30 2019
04:16 AM
- last edited on
Apr 08 2022
10:08 AM
by
TechCommunityAP
Hi,
I need to parse for usernames that can appear under different text context in the same cell.
Is it possible to check for different variants in the same cell and stop on the first match?
This is obviously not working but explains my question:
Sep 30 2019 08:17 AM
What does the column 'Message' actaulyly look like look like? Can you provide some examples of the contents?
e.g.
let msg = datatable (Message:string)
[
"ABCyyyyDEFGHIzzzzJKLMNOaaaaaPQR"
];
msg
Sep 30 2019 10:19 AM - edited Sep 30 2019 10:23 AM
Its a SyslogMessage that contains failed authentication info and can come in two types.
Failed password for invalid user UserName from
or
Failed password for UserName from
i need to parse the UserName for my next actions regardless of the message type but put it in only one variable(UserName).
Oct 01 2019 01:16 AM
Solution
Assuming the word "from" is the final word in this column the:
let msg = datatable (Date:date, Message:string)
[
datetime(2019-09-29),"Failed password for testperson from",
datetime(2019-09-29),"Failed password for invalid user clive from",
datetime(2019-09-30),"Failed password for testuser from",
datetime(2019-09-30),"Failed password fakeuser from"
];
msg
| extend txtArray =split(Message, " ") // split the column if we see a <space> into an array
| extend posArray = array_length(txtArray) -2 // Now calculate the positionin the array of the 2nd to last entry (the word before "from")
| extend UserName = trim(@"[^\w]+",tostring(split(txtArray[posArray]," "))) // clean the text (non Alpha chars) and get the 2nd to last entry
Date | Message | txtArray | posArray | UserName |
---|---|---|---|---|
2019-09-29T00:00:00Z | Failed password for testperson from | ["Failed","password","for","","testperson","from"] | 4 | testperson |
2019-09-29T00:00:00Z | Failed password for invalid user clive from | ["Failed","password","for","invalid","user","clive","from"] | 5 | clive |
2019-09-30T00:00:00Z | Failed password for testuser from | ["Failed","password","for","testuser","from"] | 3 | testuser |
2019-09-30T00:00:00Z | Failed password fakeuser from | ["Failed","password","fakeuser","from"] | 2 | fakeuser |
Oct 01 2019 02:16 PM - edited Oct 01 2019 02:17 PM
@CliveWatson Thank you, I appreciate your time and effort.
Oct 01 2019 01:16 AM
Solution
Assuming the word "from" is the final word in this column the:
let msg = datatable (Date:date, Message:string)
[
datetime(2019-09-29),"Failed password for testperson from",
datetime(2019-09-29),"Failed password for invalid user clive from",
datetime(2019-09-30),"Failed password for testuser from",
datetime(2019-09-30),"Failed password fakeuser from"
];
msg
| extend txtArray =split(Message, " ") // split the column if we see a <space> into an array
| extend posArray = array_length(txtArray) -2 // Now calculate the positionin the array of the 2nd to last entry (the word before "from")
| extend UserName = trim(@"[^\w]+",tostring(split(txtArray[posArray]," "))) // clean the text (non Alpha chars) and get the 2nd to last entry
Date | Message | txtArray | posArray | UserName |
---|---|---|---|---|
2019-09-29T00:00:00Z | Failed password for testperson from | ["Failed","password","for","","testperson","from"] | 4 | testperson |
2019-09-29T00:00:00Z | Failed password for invalid user clive from | ["Failed","password","for","invalid","user","clive","from"] | 5 | clive |
2019-09-30T00:00:00Z | Failed password for testuser from | ["Failed","password","for","testuser","from"] | 3 | testuser |
2019-09-30T00:00:00Z | Failed password fakeuser from | ["Failed","password","fakeuser","from"] | 2 | fakeuser |