User Profile
Preben902
Copper Contributor
Joined 6 years ago
User Widgets
Recent Discussions
Kusto regex for extracting IP adresses
In my AzureDiagnostics for my ResourceType "AzureFirewalls", there's a column named "msg_s". It contains information about IP-adresses trying to request access to another adress. Examples include: HTTPS request from 10.192.168.10:10100 to some-text.blob.core.windows.net:443. Action: Allow. Azure internal traffic. HTTPS request from 198.192.100.10:10500. Action: Deny. Reason: SNI TLS extension was missing UDP request from 10.192.100.1:10500 to 10.168.10.20. Action: Allow I'd like to use RegEx to extract the first IP into one column, then extract the second IP if there is one (second example did not have a destination IP), and extract "Allow" or "Deny" into a third column. Can someone help me solve this? I've already tried using Parse instead of RegEx but I believe RegEx is better because of the optional destination adress in the second example, and optional :port in the third example.19KViews0likes3CommentsCompare count of errors in last 12h against last multiple periods of 12h
I have a set of VMs that generate errors. I want a query to return a result if the last 12 hours has generated more errors than the last multiple periods of 12 hours. Event| where TimeGenerated > ago(7d)| where EventLevelName == "Warning" or EventLevelName == "Error"| summarize count_ = count() by bin(TimeGenerated, 12h)| summarize maxi = max(count_), mini = min(count_) This returns two columns with the maximum and minimum values of the last multiple periods of 12 hours. Problem one is that is includes the latest 12 hours so it will never be more than that when comparing. Problem two is that it is missing that final comparison syntax. How do I do it?
Recent Blog Articles
No content to show