Jul 24 2018
- last edited on
Apr 07 2022
We're using a Syslog to get data to Log Analytics from some devices. This works perfectly and places the relevant data we need in the "Syslogmessage" column in "Syslog". I'm trying to use the parse command to extract that data into new columns but cannot figure out how to do it. Here is a sample of the value in that column:
37:00,0008C101547,SYSTEM,userid,0,2018/07/23 11:36:58,,connect-ldap-sever-failure,SERVER1.DOM1.DOMAIN1,0,0,general,medium,"ldap cfg CT Group Mapping failed to connect to server SERVER1.DOM1.DOMAINNAME.net:389: Error: Failed to get address info for SERVER1.DOM1.DOMAINNAME.net.",38678840,0x8000000000000000,0,0,0,0,,DOM1FHS01.LAB
I figured I could use regex to extract what I need, but cannot seem to get it to work correctly. What's the best way to do this?
Example of something I've tried:
Jul 25 2018 04:00 AM
I found a way:
Syslog| extend msgArr=split(SyslogMessage, ",")| project Receive_Time=msgArr,Serial_Number=msgArr,Type=msgArr,Subtype=msgArr,FUTURE_USE1=msgArr,Generated_Time=msgArr,Virtual_System=msgArr,Event_ID=msgArr,Object=msgArr,FUTURE_USE2=msgArr,FUTURE_USE3=msgArr,Module=msgArr,Severity=msgArr,Description=msgArr,Sequence_Number=msgArr,Action_Flags=msgArr,Device_Group_Hierarchy_Level_1=msgArr,Device_Group_Hierarchy_Level_2=msgArr,Device_Group_Hierarchy_Level_3=msgArr,Device_Group_Hierarchy_Level_4=msgArr,Virtual_System_Name=msgArr,Device_Name=msgArr
However, occasionally I have a Syslog message that comes in that has an extra comma in a field, which pushes the other columns over. Still trying to work through that.