Forum Discussion

alchem_rj's avatar
alchem_rj
Copper Contributor
Sep 01, 2020

Table count from custom log

Hello,   I would like to get the count of table name reference in my custom log which is pushed to the Log analytics. The custom log structure is given below.   020-08-31 16:15:38 ProxyEngine [I...
azure monitor
Log Analytics
alchem_rj's avatar
alchem_rj
Copper Contributor

Hi Rafi_Rabo,

 

How we can do a string regression. For example, if the table name is as follows then how we can include it in the query.

 

1. abc_3val_xyz_dd

2. txt_1data_abcd

 

Thanks

Rafi_Rabo's avatar
Rafi_Rabo
Icon for Microsoft rankMicrosoft
Sep 10, 2020

Hi alchem_rj ,

 

I can think of several options:

1. Look for more patterns in the the extract() function (You may use more complex RegExp to match more tables). Note that this is not scalable solution since you'll always need to add more patterns/ table names to the expression.

| extend table_name = (extract ("(table_[0-9]+)|(abc_3val_xyz_dd)|(txt_1data_abcd)", 0, LogText)), month=(getmonth(TimeGenerated))

2. Add a 'TableName' column to your custom logs, with the table name in the relevant rows. Easily you'll be able to filter out logs which are not related to tables, and summarize according to 'TableName'.

3. Write the message in your logs with a unique pattern for table, for example

"....... from .... is select * from table table_2"
In such case you could parse according to the unique pattern "from table ".
 
Hope that it answers your question,
Rafi
 
  • Rafi_Rabo's avatar
    Rafi_Rabo
    Icon for Microsoft rankMicrosoft
    Sep 17, 2020

    Hi alchem_rj.,

     

    You can tweak the regular expression, using the operator $ which means end of match.

    In your case:

    extend table_name = (extract ("(abc_8val_yy$)", 0, RawData))

     

    Reference for regular expressions supported in Kusto: https://github.com/google/re2/wiki/Syntax

     

    Rafi

  • alchem_rj's avatar
    alchem_rj
    Copper Contributor
    Sep 17, 2020

    Hi Rafi_Rabo,

     

     

    Is it possible to fetch the exact matching string from Rawdata using "extract" operator? or any other command?

  • alchem_rj's avatar
    alchem_rj
    Copper Contributor
    Sep 16, 2020

    Hi Rafi_Rabo 

     

    Thanks a lot for your help.

     

    I also notice that if I use a similar table name in the extend operator am getting same result.

     

    extend table_name = (extract ("(abc_8val_yy)", 0, RawData))

     

    The output (count of table name) of above query and below query is same

     

    extend table_name = (extract ("(abc_8val_yy_vw)", 0, RawData))

     

     

  • Rafi_Rabo's avatar
    Rafi_Rabo
    Icon for Microsoft rankMicrosoft
    Sep 16, 2020

    Hi alchem_rj ,

     

    Try running the following: Go to Log Analytics and run query

     

    I tweaked the regexp to: 

    abc_[0-9]+val_[0-9A-Za-z_]+

     

    If you still have issues, please share the data and query you are trying to run.

     

    Rafi

  • alchem_rj's avatar
    alchem_rj
    Copper Contributor
    Sep 16, 2020

    Hi Rafi_Rabo ,

     

    When I use the Regex you have provided I am getting all the value in the RawData along with the table name. I am not able to filter the exact table name from the RawData.

  • alchem_rj's avatar
    alchem_rj
    Copper Contributor
    Sep 11, 2020

    Hi Rafi_Rabo,

     

     

    Do we have RegExp similar to below?

     

    1. abc_[0-9]val_* (all string or word )after this?

    Expected table names

    abc_1val_dd

    abc_3val_xx

    abc_2val_extra_cc

     

    Thanks

     

Resources