I'm using a KQL query in Azure to create a Sentinel alert.
I can't workout how to trim a string to show the data between the third instance of the " character and the first instance of (
I've tried to use a trim_start/ trim_end and also a split command but keep getting regex problems.
An example of the string is [ "HOSTNAME", "Test User (t.user@example.com)" ]
I'd like to either extract Test User from the string or HOSTNAME, Test User and t.user@example.com into separate fields.
Any help or pointers in the right direction would be appreciated
you could use the parse operator.
for example:
print input = '[ "HOSTNAME", "Test User (t.user@example.com)" ]'
| parse input with * '"' host_name '"' * '"' user_name ' (' email_address ')' *
| input | host_name | user_name | email_address |
|---|---|---|---|
| [ "HOSTNAME", "Test User (t.user@example.com)" ] | HOSTNAME | Test User | t.user@example.com |