cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Kusto Regex Matches

andrew_bryant
Brass Contributor

‎Apr 15 2020 10:05 AM

‎Apr 15 2020 10:05 AM

Kusto Regex Matches

I'm trying write a query that will match logs where a field contains any domain other than our own.  This is what I have tried:

 

| where Recipient matches regex @"(@(?!ourdomain)[A-Za-z0-9]+(.))"
 
But Kusto uses the re2 library which does not support lookarounds, as noted here: https://github.com/google/re2/wiki/Syntax
 
Is there a workaround in Kusto to exclude strings from regex matches?
24.9K Views
0 Likes
5 Replies
Reply
5 Replies
mperrotta

‎Apr 15 2020 12:19 PM

‎Apr 15 2020 12:19 PM

Re: Kusto Regex Matches

@andrew_bryant I ran into the same issue. I wasn't able to find an answer to do this regex. What I ended up doing was using something like 'where Data.ObjectName !contains ("System Volume Information")' to filter out strings I didn't to be included.

 

Not sure if this will work in your scenario but this was the only solution I was able to come up with to address this.

0 Likes
Reply
andrew_bryant

‎Apr 15 2020 02:00 PM

‎Apr 15 2020 02:00 PM

Re: Kusto Regex Matches

@mperrotta Thanks.  I had thought of that.  But this field could contain multiple domains in it.  I want to match on any record where the field contains a domain other than ours, even if it also contains ours.

0 Likes
Reply
Col_Sanders

‎Sep 01 2020 06:32 PM

‎Sep 01 2020 06:32 PM

Re: Kusto Regex Matches

@andrew_bryant do you have any updates on this matches regex issue?

I seem to have run into it trying to implement two Sentinel query templates which use this function, 

e.g. this one

Col_Sanders_0-1599010139914.pngCol_Sanders_1-1599010175315.png

I also note an overnight post by another contributor which looks like a similar issue to me ...

 

Col_Sanders_2-1599010290132.png

 

 

 

0 Likes
Reply
CliveWatson

‎Sep 02 2020 04:57 AM

‎Sep 02 2020 04:57 AM

Re: Kusto Regex Matches

@Col_Sanders @andrew_bryant 

 

This would ignore your domain 

let Recepient = "This fake fakeperson@fake.com"; 
print Recepient
| extend ourDom = iif(not(Recepient matches regex @"([A-Za-z0-9]*ourdomain.com)"), 
                    extract (@"([A-Za-z0-9]*.com)",0,Recepient),
                    "Matched to ourdomain.com") 
| project ourDom

 

 

1 Like
Reply
Col_Sanders

‎Sep 08 2020 03:33 PM - edited ‎Sep 08 2020 03:34 PM

‎Sep 08 2020 03:33 PM - edited ‎Sep 08 2020 03:34 PM

Re: Kusto Regex Matches

@Col_Sanders In case anyone else stumbles on this I'll just post my own fix/discovery for this.
Turned out that whenever I used Intelli-sense to insert matches I would get the syntax error.

By manually typing the word matches , no syntax error would occur!

0 Likes
Reply