Forum Discussion
Kusto Regex Matches
I'm trying write a query that will match logs where a field contains any domain other than our own. This is what I have tried:
5 Replies
andrew_bryant do you have any updates on this matches regex issue?
I seem to have run into it trying to implement two Sentinel query templates which use this function,
e.g. this one
I also note an overnight post by another contributor which looks like a similar issue to me ...
Col_Sanders In case anyone else stumbles on this I'll just post my own fix/discovery for this.
Turned out that whenever I used Intelli-sense to insert matches I would get the syntax error.By manually typing the word matches , no syntax error would occur!
This would ignore your domain
let Recepient = "This fake fakeperson@fake.com"; print Recepient | extend ourDom = iif(not(Recepient matches regex @"([A-Za-z0-9]*ourdomain.com)"), extract (@"([A-Za-z0-9]*.com)",0,Recepient), "Matched to ourdomain.com") | project ourDom
andrew_bryant I ran into the same issue. I wasn't able to find an answer to do this regex. What I ended up doing was using something like 'where Data.ObjectName !contains ("System Volume Information")' to filter out strings I didn't to be included.
Not sure if this will work in your scenario but this was the only solution I was able to come up with to address this.
mperrotta Thanks. I had thought of that. But this field could contain multiple domains in it. I want to match on any record where the field contains a domain other than ours, even if it also contains ours.
