Aug 20 2019 01:52 PM
Importing event logs into workspace that have a property like the following:
<Param>1</Param><Param>2</Param><Param>3</Param><Param>4</Param><Param>5</Param> |
We are interested in the second parameter. Is there a query that can distill this down into one property?
Aug 20 2019 03:15 PM
Solution
Are you asking about parsing? Example:
print txt = "<Param>1</Param><Param>2</Param><Param>3</Param><Param>4</Param><Param>5</Param>"
| parse txt with *"<Param>2</" p2 "><Param>3"*
Go to Log Analytics and Run Query
txt | p2 |
---|---|
12345 |
Param |
Aug 21 2019 04:32 AM
@andrew_bryant The Sentinel blog had a post a while ago about working with JSON that may help.
Aug 22 2019 06:32 AM
This was what I was looking for. Here is the query I ended up using:
Aug 20 2019 03:15 PM
Solution
Are you asking about parsing? Example:
print txt = "<Param>1</Param><Param>2</Param><Param>3</Param><Param>4</Param><Param>5</Param>"
| parse txt with *"<Param>2</" p2 "><Param>3"*
Go to Log Analytics and Run Query
txt | p2 |
---|---|
12345 |
Param |