I have linked the following log itno azure log anlytic environment via customer log
2023-01-24 07:58:30[X:MoveCarddataShare_Start]
2023-01-24 07:58:30[X;MoveCarddataShare_FileTomove:SA\Dispatch\)
2023-01-24 07:58:30[X;MoveCarddataShare_FileCountTomove:2)
2023-01-24 07:58:32[X;MoveCarddataShare_FileTomove:Styled and Co\Dispatch\)
2023-01-24 07:58:32[X;MoveCarddataShare_FileCountTomove:2)
I want to now the value of X (which is the client) and then the action and then the result
THe following code works
let temp =
ShelSA_cardMovment_CL
| parse RawData with * "[" C
| parse RawData with * ";" A
| parse RawData with * "^" R
| extend dt = substring(RawData,0,19)
,Client = split(C,";",0)
,Action = split(A,"^",0)
,Re = R;
temp
|extend Result= replace_string(tostring(Re),')','')
But all resulting columns have "[ ]" around the output the replace will remove it but it seems ungainly
["ShellSA"]
["MoveCarddataShare_FileTomove"]
Symon\Dispatch\)
Also, I wondered if this is the best way
This is the CV output I want
| Datetime of action | Client | Action | Re | Result |
|---|---|---|---|---|
| 24/01/2023 07:58 | "[""X:MoveCarddataShare^Start\r\n""]" | "[""""]" | "Start" | "Start" |
| 24/01/2023 07:58 | "[""X""]" | "[""MoveCarddataShare_FileTomove""]" | "SA\Dispatch)" | "SA\Dispatch" |
| 24/01/2023 07:58 | "[""X""]" | "[""MoveCarddataShare_FileCountTomove""]" | "2)" | "2" |
| 24/01/2023 07:58 | "[""X""]" | "[""MoveCarddataShare_FileTomove""]" | "Styled and Co\Dispatch)" | "Styled and Co\Dispatch" |
| 24/01/2023 07:58 | "[""X""]" | "[""MoveCarddataShare_FileCountTomove""]" | "2)" | "2" |
| 24/01/2023 07:58 | "[""X""]" | "[""MoveCarddataShare_FileTomove""]" | "Symon\Dispatch)" | "Symon\Dispatch" |
| 24/01/2023 07:58 | "[""X""]" | "[""MoveCarddataShare_FileCountTomove""]" | "3)" | "3" |
| 2023-01-23 14:51:25 | "[""X:MoveCarddataShare_DateofFilemove\r\n""]" | "[""""]" | ||
| 24/01/2023 07:58 | "[""X""]" | "[""MoveCarddataShare_LastfileMoved""]" | "New Text Document.txt)" | "New Text Document.txt" |
| 24/01/2023 07:58 | "[""X""]" | "[""MoveCarddataShare_Movefiledcount""]" | "14)" | "14" |
| 24/01/2023 07:58 | "[""X""]" | "[""MoveCarddataShare""]" | "End" | "End" |
CodePudding user response:
I'm guessing this is what you are looking for
datatable(RawData:string)
[
@"2023-01-24 07:58:30[X:MoveCarddataShare_Start]"
,@"2023-01-24 07:58:30[X;MoveCarddataShare_FileTomove:SA\Dispatch\)"
,@"2023-01-24 07:58:30[X;MoveCarddataShare_FileCountTomove:2)"
,@"2023-01-24 07:58:32[X;MoveCarddataShare_FileTomove:Styled and Co\Dispatch\)"
,@"2023-01-24 07:58:32[X;MoveCarddataShare_FileCountTomove:2)"
]
| parse kind=regex flags=U RawData with Timestamp:datetime @"\[" Client "[;:]" Action @"[]:]" Result @"\)?$"
| RawData | Timestamp | Client | Action | Result |
|---|---|---|---|---|
| 2023-01-24 07:58:30[X:MoveCarddataShare_Start] | 2023-01-24T07:58:30Z | X | MoveCarddataShare_Start | |
| 2023-01-24 07:58:30[X;MoveCarddataShare_FileTomove:SA\Dispatch) | 2023-01-24T07:58:30Z | X | MoveCarddataShare_FileTomove | SA\Dispatch\ |
| 2023-01-24 07:58:30[X;MoveCarddataShare_FileCountTomove:2) | 2023-01-24T07:58:30Z | X | MoveCarddataShare_FileCountTomove | 2 |
| 2023-01-24 07:58:32[X;MoveCarddataShare_FileTomove:Styled and Co\Dispatch) | 2023-01-24T07:58:32Z | X | MoveCarddataShare_FileTomove | Styled and Co\Dispatch\ |
| 2023-01-24 07:58:32[X;MoveCarddataShare_FileCountTomove:2) | 2023-01-24T07:58:32Z | X | MoveCarddataShare_FileCountTomove | 2 |