Parsing events with date format M D HH:MI:SS
Hi, I need to parse events strings that begins with a date having this format: M D HH:MI:SS Example now is : 'Mar 9 09:51:35' (Paristime) Here is an example of a kql request explaining my issue: let Traces = datatable(EventText:string) [ 'Mar 8 14:39:35 my.host.name CustomSTR[42]: "1" "2"', 'Mar 7 14:13:41 another.name.test AnotherStr[24]: "3" "4"' ]; Traces | parse EventText with Time:string " " Host:string " " Product:string "[" PID:int "]: \"" idA:int "\" \"" idB:int "\"" | project Time, Host, Product, PID, idA, idB And here ise the result : You see the problem ? For example for the first row I expect this result Time: Mar 8 14:39:35 Host: my.host.name Product: CustomSTR PID: 42 idA: 1 idB: 2 I also tried to use datetime type to correctly parse Time: let Traces = datatable(EventText:string) [ 'Mar 8 14:39:35 my.host.name CustomSTR[42]: "1" "2"', 'Mar 7 14:13:41 another.name.test AnotherStr[24]: "3" "4"' ]; Traces | parse EventText with Time:datetime " " Host:string " " Product:string "[" PID:int "]: \"" idA:int "\" \"" idB:int "\"" | project Time, Host, Product, PID, idA, idB But it does not parse anything... I am wondering if there is a possibility to use a regex instead of the string/datetime types. (that regex would match my time : [\w]{2,3}\s[\d]{2}\s[\d]{2}:[\d]{2}:[\d]{2} ) Many thanks for your help ! 🙂
