cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

parsing two options in the same cell?

CloudMe
Copper Contributor

‎Sep 30 2019 04:16 AM - last edited on ‎Apr 08 2022 10:08 AM by

‎Sep 30 2019 04:16 AM - last edited on ‎Apr 08 2022 10:08 AM by

parsing two options in the same cell?

Hi,

 

I need to parse for usernames that can appear under different text context in the same cell.

Is it possible to check for different variants in the same cell and stop on the first match?

 

This is obviously not working but explains my question:

| parse Message with *"ABC" UserName "DEF"* or *"GHI" UserName "JKL"*
 
Thank You.
Labels:
1,154 Views
0 Likes
4 Replies
Reply
4 Replies
CliveWatson

‎Sep 30 2019 08:17 AM

‎Sep 30 2019 08:17 AM

Re: parsing two options in the same cell?

@CloudMe

 

What does the column 'Message' actaulyly look like look like?  Can you provide some examples of the contents?

 

e.g.

 

print Message = "ABCyyyyDEFGHIzzzzJKL"
 
or
 
print Message = "ABCDEFGHIzzzzJKL"
 
or use a datatable
 
let msg = datatable (Message:string)
[
"ABCyyyyDEFGHIzzzzJKLMNOaaaaaPQR"
];
msg
​

 

0 Likes
Reply
CloudMe

‎Sep 30 2019 10:19 AM - edited ‎Sep 30 2019 10:23 AM

‎Sep 30 2019 10:19 AM - edited ‎Sep 30 2019 10:23 AM

Re: parsing two options in the same cell?

@CliveWatson 

 

Its a SyslogMessage that contains failed authentication info and can come in two types.

 

Failed password for invalid user UserName from

or

Failed password for UserName from

 

i need to parse the UserName for my next actions regardless of the message type but put it in only one variable(UserName).

 

0 Likes
Reply
best response confirmed by CloudMe (Copper Contributor)
CliveWatson

‎Oct 01 2019 01:16 AM

‎Oct 01 2019 01:16 AM

Solution

Re: parsing two options in the same cell?

@CloudMe 

 

Assuming the word "from" is the final word in this column the:

 

let msg = datatable (Date:date, Message:string)
[
datetime(2019-09-29),"Failed password for  testperson from",
datetime(2019-09-29),"Failed password for invalid user clive from",
datetime(2019-09-30),"Failed password for testuser from",
datetime(2019-09-30),"Failed password fakeuser from"
];
msg
| extend txtArray =split(Message, " ")   // split the column if we see a <space> into an array
| extend posArray = array_length(txtArray) -2   // Now calculate the positionin the array of the 2nd to last entry (the word before "from")
| extend UserName = trim(@"[^\w]+",tostring(split(txtArray[posArray]," "))) // clean the text (non Alpha chars) and get the 2nd to last entry

 

 

Date Message txtArray posArray UserName
2019-09-29T00:00:00Z Failed password for testperson from ["Failed","password","for","","testperson","from"] 4 testperson
2019-09-29T00:00:00Z Failed password for invalid user clive from ["Failed","password","for","invalid","user","clive","from"] 5 clive
2019-09-30T00:00:00Z Failed password for testuser from ["Failed","password","for","testuser","from"] 3 testuser
2019-09-30T00:00:00Z Failed password fakeuser from ["Failed","password","fakeuser","from"] 2 fakeuser

 

 

1 Like
Reply
CloudMe

‎Oct 01 2019 02:16 PM - edited ‎Oct 01 2019 02:17 PM

‎Oct 01 2019 02:16 PM - edited ‎Oct 01 2019 02:17 PM

Re: parsing two options in the same cell?

@CliveWatson Thank you, I appreciate your time and effort.

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by CloudMe (Copper Contributor)
CliveWatson

‎Oct 01 2019 01:16 AM

‎Oct 01 2019 01:16 AM

Solution

Re: parsing two options in the same cell?

@CloudMe 

 

Assuming the word "from" is the final word in this column the:

 

let msg = datatable (Date:date, Message:string)
[
datetime(2019-09-29),"Failed password for  testperson from",
datetime(2019-09-29),"Failed password for invalid user clive from",
datetime(2019-09-30),"Failed password for testuser from",
datetime(2019-09-30),"Failed password fakeuser from"
];
msg
| extend txtArray =split(Message, " ")   // split the column if we see a <space> into an array
| extend posArray = array_length(txtArray) -2   // Now calculate the positionin the array of the 2nd to last entry (the word before "from")
| extend UserName = trim(@"[^\w]+",tostring(split(txtArray[posArray]," "))) // clean the text (non Alpha chars) and get the 2nd to last entry

 

 

Date Message txtArray posArray UserName
2019-09-29T00:00:00Z Failed password for testperson from ["Failed","password","for","","testperson","from"] 4 testperson
2019-09-29T00:00:00Z Failed password for invalid user clive from ["Failed","password","for","invalid","user","clive","from"] 5 clive
2019-09-30T00:00:00Z Failed password for testuser from ["Failed","password","for","testuser","from"] 3 testuser
2019-09-30T00:00:00Z Failed password fakeuser from ["Failed","password","fakeuser","from"] 2 fakeuser

 

 

View solution in original post

1 Like
Reply