i am writing a DNS parser for the following logs type of logs files:
18/03/2020 07:08:23 1164 PACKET 000000C164RF56B0 UDP Rcv 10.128.151.34 076e Q [0001 D NOERROR] A (10)indelpus03(6)kworld(4)kay(3)com(0)
i am trying to grab whatever is inside of [] - therefore 0001 D NOERROR. i have this following regex whic his valid:
(?<=[)(.*?)(?=])
However when I test this on KQL it fails, it said syntax error. Please let me know if anyone have a solution. The same occurs for Regex for domain name, etc
Here are two methods:
1) Using parse operator: https://learn.microsoft.com/en-us/azure/kusto/query/parseoperator
print m = '18/03/2020 07:08:23 1164 PACKET 000000C164RF56B0 UDP Rcv 10.128.151.34 076e Q [0001 D NOERROR] A (10)indelpus03(6)kworld(4)kay(3)com(0)'
| parse m with * '[' Message ']' *
2) Using extract() function: https://learn.microsoft.com/en-us/azure/kusto/query/extractfunction
print m = '18/03/2020 07:08:23 1164 PACKET 000000C164RF56B0 UDP Rcv 10.128.151.34 076e Q [0001 D NOERROR] A (10)indelpus03(6)kworld(4)kay(3)com(0)'
| extend Message = extract(@'\[(.+?)\]', 1, m)