Parsing fields from Azure Log Analytics KQL Grabbe...

edhealea · ‎09-01-2020

Has anyone successfully parsed fields from the data gathered with Azure Log Analytics KQL Grabber?
We are working on pulling Log Analytics logs from Azure using KQL Grabber which works great for doing this. We are finding because KQL sends everything to the sourcetype KQL, we can't consistently parse fields out for our different inputs we have defined within KQL.

dmcintosh1972 · ‎07-26-2022

you could set up different inputs with a relevant source type on the input field of the form. or if you are planning to use a single input with multiple tables coming in you can set up props and transforms in the app to modify the sourcetype value based on your logs. look for an identifying field with 100% log coverage, use that in a regex to identify your records and modify the sourcetype.

02sangeet · ‎09-23-2021

Could you please help us, giving some idea about the extraction you used to solve this issue. I am also facing the same issue here, though we are able to fetch some data from MS Azure log analytics but data shows only header part.

edhealea · ‎09-23-2021

If you are only getting header information, check your query in Log Analytics first. If it works correctly there then it should work in KQL. We haven't had one not work yet.

Also, Some logs in Azure only have header info and no data. Not sure why that is.

a_naoum · ‎09-21-2020

In the latest version, you have the possibility to define sourcetype per stanza. I guess this can help you.

As workaround you can always go to inputs.conf and hardcode the sourcetype there. That's general approach regardless the addon that you are using.

Parsing fields from Azure Log Analytics KQL Grabber

configuration

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)