0

I have a couple of Custom Logs in Log-Analytics. I want to parse columns of one log using columns from another log. Using join I can get to the stage where all the data is in a single table. Like:

Label Data
First First=abc , Second=def , Third= ghi
Second First=abc , Second=def , Third= ghi

I want another column with the respective data mapped like:

Label Data Value
First First=abc , Second=def , Third= ghi abc
Second First=abc , Second=def , Third= ghi def

Is there a way I can parse this. I have tried using the KQL's parse function and regex. But they only work to parse fixed statements. Here the Value is not fixed. Any tips?

Ankur Deswal-AIS
  • 3
  • 2

1 Answers1

0
datatable(label:string, data:string) [ 
    'First', 'First=abc , Second=def , Third=ghi',
    'Second', 'First=abc , Second=def , Third= ghi',
    'Third', 'First=abc , Second=def , Third= ghi'
]
| project label, data = split(data, ',')
| mv-expand bagexpansion=array data to typeof(string)
| project label, data = split(data, '=')
| where label == trim(' ', tostring(data[0]))
| project label, value = trim(' ', tostring(data[1]))
Alexander Vos de Wael
  • 467
  • 2
  • 4