I'm trying to extract the last part of a message using KQL, the patter is consistent on what part of the message is needed, for example, I need to extract everything next to ">]" characters.

In the followed example, would be "Connection Timeout Expired. The timeout period elapsed during the post-login phase.":

System.ComponentModel.SQLClientException (258): Unknown error 258 [Open]
   at System.Data.ProviderBase.DbConnectionPool.CheckPoolBlockingPeriod(Exception e)
   at System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject,
   DbConnectionOptions userOptions, DbConnectionInternal oldConnection)
   [<GUI:03c09dfd-678f-45a1-a446-05f5217a705f>] Connection Timeout Expired. The timeout period elapsed during the post-login phase.

I've been trying suing the followed regex patter but it fails with the message: SemanticException.

traces
| where ...
| project extract(@"(?<=>])",1,message) 

Please someone advice.

CodePudding user response：

you could use the parse operator.

for example:

print input = ```System.ComponentModel.SQLClientException (258): Unknown error 258 [Open]
   at System.Data.ProviderBase.DbConnectionPool.CheckPoolBlockingPeriod(Exception e)
   at System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject,
   DbConnectionOptions userOptions, DbConnectionInternal oldConnection)
   [<GUI:03c09dfd-678f-45a1-a446-05f5217a705f>] Connection Timeout Expired. The timeout period elapsed during the post-login phase.```
| parse input with * ">] " output