Forum Discussion
How to remove string quotes and other things from the parsed syslog message
Hello Sentinel Community,
We are ingesting Azure database for Postgresql logs into the log analytical workspace and tried to retrieve the values from the Postgresql log Message coulumn. However, we are getting the values in double quotes and comma from the retrieved values. Below is the sample Pstgresql Message log:
Message: 2025-01-22 09:53:35 UTC-6790c01f.259e-FATAL: no pg_hba.conf entry for host "10.150.48.4", user "email address removed for privacy reasons", database "prodxxxx0424", no encryption
We used below KQL query and parse kind (mentione below) to get the values of host, user, and database but we got the values like below with double quotes and comma. How to get the values without double quotes.
AzureDiagnostics
| where Category == "PostgreSQLLogs"
| where errorLevel_s == "FATAL"
| where Message contains "no pg_hba.conf entry"
| parse kind=relaxed Message with * "host" Source_IP "user" UserName "database" DatabaseName
Received Values:
Thanks,
Yugandhar.
I would suggest looking at a Regex string to remove the unneeded characters (Regex syntax - Kusto | Microsoft Learn)
Gary is correct (as always), you can also just trim the data as well, not as elegant but useful. I think you also need to add: "," * at the end of the parse to just get the database name.
let Message = '"Message: 2025-01-22 09:53:35 UTC-6790c01f.259e-FATAL: no pg_hba.conf entry for host "10.150.48.4", user "email address removed for privacy reasons", database "prodxxxx0424", no encryption"';
Usage | take 1
|parse kind=relaxed Message with * "host" Source_IP "user" UserName "database" DatabaseName "," *
|project SourceIP=trim(@"[^\w]+",Source_IP) , UserName=trim(@"[^\w]+",UserName), Database=trim(@"[^\w]+",DatabaseName)
