1

I'm using a KQL query in Azure to create a Sentinel alert.

I can't workout how to trim a string to show the data between the third instance of the " character and the first instance of (

I've tried to use a trim_start/ trim_end and also a split command but keep getting regex problems.

An example of the string is [ "HOSTNAME", "Test User (t.user@example.com)" ]

I'd like to either extract Test User from the string or HOSTNAME, Test User and t.user@example.com into separate fields.

Any help or pointers in the right direction would be appreciated

wosset
  • 13
  • 3

2 Answers2

1

you could use the parse operator.

for example:

print input = '[ "HOSTNAME", "Test User (t.user@example.com)" ]'
| parse input with * '"' host_name '"' * '"' user_name ' (' email_address ')' *
input host_name user_name email_address
[ "HOSTNAME", "Test User (t.user@example.com)" ] HOSTNAME Test User t.user@example.com
Yoni L.
  • 22,627
  • 2
  • 29
  • 48
0

parse-where is good for this, too.

https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/parsewhereoperator

rodtrent
  • 108
  • 3