I have a log source in Sentinel that delimits data in two different ways in the same log, e.g. - and `$60.
So far I've tried:
| extend FieldNameSplit = split(FieldName , '-|$60')
As well as:
| extend FieldNameSplit = split(FieldName, '-')
| extend FieldNameSplitTwo = split(FieldNameSplit, '$60')
Neither of these method have proven effective. Any other ideas?
Thanks in advance for the insight!
If I understand your question correctly, you could try using the extract_all() function: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/extractallfunction
for example:
print input = "a-b-c$60d-e$60f$60g-h"
| extend output= extract_all(@"([^-(\$60)]+)", values)
| input | output |
|---|---|
| a-b-c$60d-e$60f$60g-h | [ "a", "b", "c", "d", "e", "f", "g", "h" ] |