Apr 15 2020 10:05 AM
I'm trying write a query that will match logs where a field contains any domain other than our own. This is what I have tried:
Apr 15 2020 12:19 PM
@andrew_bryant I ran into the same issue. I wasn't able to find an answer to do this regex. What I ended up doing was using something like 'where Data.ObjectName !contains ("System Volume Information")' to filter out strings I didn't to be included.
Not sure if this will work in your scenario but this was the only solution I was able to come up with to address this.
Apr 15 2020 02:00 PM
@mperrotta Thanks. I had thought of that. But this field could contain multiple domains in it. I want to match on any record where the field contains a domain other than ours, even if it also contains ours.
Sep 01 2020 06:32 PM
@andrew_bryant do you have any updates on this matches regex issue?
I seem to have run into it trying to implement two Sentinel query templates which use this function,
e.g. this one
I also note an overnight post by another contributor which looks like a similar issue to me ...
Sep 02 2020 04:57 AM
This would ignore your domain
let Recepient = "This fake fakeperson@fake.com";
print Recepient
| extend ourDom = iif(not(Recepient matches regex @"([A-Za-z0-9]*ourdomain.com)"),
extract (@"([A-Za-z0-9]*.com)",0,Recepient),
"Matched to ourdomain.com")
| project ourDom
Sep 08 2020 03:33 PM - edited Sep 08 2020 03:34 PM
@Col_Sanders In case anyone else stumbles on this I'll just post my own fix/discovery for this.
Turned out that whenever I used Intelli-sense to insert matches I would get the syntax error.
By manually typing the word matches , no syntax error would occur!