Kusto question

Brass Contributor

Importing event logs into workspace that have a property like the following:




We are interested in the second parameter.  Is there a query that can distill this down into one property?

3 Replies
best response confirmed by andrew_bryant (Brass Contributor)

Hi @andrew_bryant 


Are you asking about parsing?  Example:


print txt = "<Param>1</Param><Param>2</Param><Param>3</Param><Param>4</Param><Param>5</Param>"
| parse txt with *"<Param>2</" p2 "><Param>3"*


Go to Log Analytics and Run Query

txt p2



@andrew_bryant The Sentinel blog had a post a while ago about working with JSON that may help.



This was what I was looking for.  Here is the query I ended up using:

| parse ParameterXml with * "<Param>" SChannel "</Param><Param>" Username "</Param><Param>" domain "</Param><Param>" Workstation "</Param><Param>" channeltype

The event log source was NTLM operational log from DCs auditing NTLM requests.