All Apps and Add-ons

Parsing fields from Azure Log Analytics KQL Grabber

edhealea
Path Finder

Has anyone successfully parsed fields from the data gathered with Azure Log Analytics KQL Grabber?
We are working on pulling Log Analytics logs from Azure using KQL Grabber which works great for doing this. We are finding because KQL sends everything to the sourcetype KQL, we can't consistently parse fields out for our different inputs we have defined within KQL.

Labels (1)
0 Karma

dmcintosh1972
Explorer

you could set up different inputs with a relevant source type on the input field of the form.  or if you are planning to use a single input with multiple tables coming in you can set up props and transforms in the app to modify the sourcetype value based on your logs. look for an identifying field with 100% log coverage, use that in a regex to identify your records and modify the sourcetype.

0 Karma

02sangeet
Engager

Could you please help us, giving some idea about the extraction you used to solve this issue. I am also facing the same issue here, though  we are able to fetch some data from MS Azure log analytics but data shows only header part.

0 Karma

edhealea
Path Finder

If you are only getting header information, check your query in Log Analytics first. If it works correctly there then it should work in KQL. We haven't had one not work yet.

Also, Some logs in Azure only have header info and no data.  Not sure why that is.

0 Karma

a_naoum
Path Finder

In the latest version, you have the possibility to define sourcetype per stanza. I guess this can help you. 

As workaround you can always go to inputs.conf and hardcode the sourcetype there. That's general approach regardless the addon that you are using.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...