cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User defined function for Log analytics custom log cannot parse the RawData

Sahyang
Copper Contributor

‎Oct 31 2022 11:17 PM

‎Oct 31 2022 11:17 PM

User defined function for Log analytics custom log cannot parse the RawData

Hi Team,

I'd like to use kusto query to view application(web/was) logs on log analytics.

I've created below kusto query and it works fine as I intended.

 

let RemoveBracket = (RawData:string)
{ substring(RawData, 1, indexof(RawData, "]", 1)-1) } ;
let BodyIndex = (RawData:string)
{ toint( strlen(RawData)-indexof(RawData, "]", 1) ) } ;
appdocrootlogs_CL
| extend head = RemoveBracket(RawData)
| extend headSplit = split(head, "|")
| extend body = substring(RawData, indexof(RawData, "]", 1)+1, BodyIndex(RawData))
| extend TimeStamp=headSplit[0], Sev=headSplit[1], method=headSplit[2], VMSS=headSplit[3], svr=headSplit[4], AOD=headSplit[5], Result=headSplit[6], msg=headSplit[7], body
| where VMSS contains "qa"
| project TimeStamp, Sev, method, VMSS, svr, AOD, Result, msg, body

 

 

However, when I tried to define above two functions (RemoveBracket, BodyIndex) seperately, and tried below query, it generated below errors.

 

Function 'RemoveBracket' could not be parsed at 'RawData' on line [0,40] Token: RawData Position: 40 If the issue persists, please open a support ticket. Request id: 1549132e-157f-4362-b9d5-c456b1b361ce

 

Why this happens ? How do i create user defined functions?

 

1,077 Views
0 Likes
2 Replies
Reply
2 Replies
Clive_Watson

‎Nov 01 2022 07:12 AM

‎Nov 01 2022 07:12 AM

Re: User defined function for Log analytics custom log cannot parse the RawData

This looks good to me, but not on your data source of course. I used CloudApEvents table and some small edits, but the tow functions seemed to work

let RemoveBracket = (RawData:string)
{ substring(RawData, 1, indexof(RawData, "]", 1)-1) } ;
let BodyIndex = (RawData:string)
{ toint( strlen(RawData)-indexof(RawData, "]", 1) ) } ;
CloudAppEvents
| extend head = RemoveBracket(RawEventData)
| extend headSplit = split(head, "|")
| extend body = substring(RawEventData, indexof(RawEventData, "]", 1)+1, BodyIndex(RawEventData))
| extend TimeStamp=headSplit[0], Sev=headSplit[1], method=headSplit[2], VMSS=headSplit[3], svr=headSplit[4], AOD=headSplit[5], Result=headSplit[6], msg=headSplit[7], body
//| where VMSS contains "qa"
| project TimeStamp, Sev, method, VMSS, svr, AOD, Result, msg, body
| limit 100
| where isnotempty(TimeStamp)



0 Likes
Reply
Sahyang

‎Nov 01 2022 06:50 PM

‎Nov 01 2022 06:50 PM

Re: User defined function for Log analytics custom log cannot parse the RawData

@Clive_Watson 
Hello Watson, thank you for your comment.

It works when I attached those two "let" functions.

However, the point is that the query does not work if I defined separately those two fucntion and tried to call rather than define on top of the query.
Means, I defined "RemoveBracket" and "BodyIndex" as saved functions and use below query,

 

appdocrootlogs_CL
| extend head = RemoveBracket(RawData)
| extend headSplit = split(head, "|")
| extend body = substring(RawData, indexof(RawData, "]", 1)+1, BodyIndex(RawData))
| project TimeStamp=headSplit[0], Sev=headSplit[1], method=headSplit[2], VMSS=headSplit[3], svr=headSplit[4], AOD=headSplit[5], Result=headSplit[6], msg=headSplit[7], body

 

 

the function call generates error.

Can you also try to define those two function separately and tried to use?

0 Likes
Reply