Forum Discussion

Sahyang's avatar
Sahyang
Copper Contributor
Nov 01, 2022

User defined function for Log analytics custom log cannot parse the RawData

Hi Team,

I'd like to use kusto query to view application(web/was) logs on log analytics.

I've created below kusto query and it works fine as I intended.

 

let RemoveBracket = (RawData:string)
{ substring(RawData, 1, indexof(RawData, "]", 1)-1) } ;
let BodyIndex = (RawData:string)
{ toint( strlen(RawData)-indexof(RawData, "]", 1) ) } ;
appdocrootlogs_CL
| extend head = RemoveBracket(RawData)
| extend headSplit = split(head, "|")
| extend body = substring(RawData, indexof(RawData, "]", 1)+1, BodyIndex(RawData))
| extend TimeStamp=headSplit[0], Sev=headSplit[1], method=headSplit[2], VMSS=headSplit[3], svr=headSplit[4], AOD=headSplit[5], Result=headSplit[6], msg=headSplit[7], body
| where VMSS contains "qa"
| project TimeStamp, Sev, method, VMSS, svr, AOD, Result, msg, body

 

 

However, when I tried to define above two functions (RemoveBracket, BodyIndex) seperately, and tried below query, it generated below errors.

 

Function 'RemoveBracket' could not be parsed at 'RawData' on line [0,40] Token: RawData Position: 40 If the issue persists, please open a support ticket. Request id: 1549132e-157f-4362-b9d5-c456b1b361ce

 

Why this happens ? How do i create user defined functions?

 

  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    Nov 01, 2022
    This looks good to me, but not on your data source of course. I used CloudApEvents table and some small edits, but the tow functions seemed to work

    let RemoveBracket = (RawData:string)
    { substring(RawData, 1, indexof(RawData, "]", 1)-1) } ;
    let BodyIndex = (RawData:string)
    { toint( strlen(RawData)-indexof(RawData, "]", 1) ) } ;
    CloudAppEvents
    | extend head = RemoveBracket(RawEventData)
    | extend headSplit = split(head, "|")
    | extend body = substring(RawEventData, indexof(RawEventData, "]", 1)+1, BodyIndex(RawEventData))
    | extend TimeStamp=headSplit[0], Sev=headSplit[1], method=headSplit[2], VMSS=headSplit[3], svr=headSplit[4], AOD=headSplit[5], Result=headSplit[6], msg=headSplit[7], body
    //| where VMSS contains "qa"
    | project TimeStamp, Sev, method, VMSS, svr, AOD, Result, msg, body
    | limit 100
    | where isnotempty(TimeStamp)



    • Sahyang's avatar
      Sahyang
      Copper Contributor
      Nov 02, 2022

      Clive_Watson 
      Hello Watson, thank you for your comment.

      It works when I attached those two "let" functions.

      However, the point is that the query does not work if I defined separately those two fucntion and tried to call rather than define on top of the query.
      Means, I defined "RemoveBracket" and "BodyIndex" as saved functions and use below query,

       

      appdocrootlogs_CL
      | extend head = RemoveBracket(RawData)
      | extend headSplit = split(head, "|")
      | extend body = substring(RawData, indexof(RawData, "]", 1)+1, BodyIndex(RawData))
      | project TimeStamp=headSplit[0], Sev=headSplit[1], method=headSplit[2], VMSS=headSplit[3], svr=headSplit[4], AOD=headSplit[5], Result=headSplit[6], msg=headSplit[7], body

       

       

      the function call generates error.

      Can you also try to define those two function separately and tried to use?

Resources