Contribute in GitHub:
Edit online
extract()
Get a match for a regular expression from a source string.
Optionally, convert the extracted substring to the indicated type.
extract("x=([0-9.]+)", 1, "hello x=45.6|wo") == "45.6"
Syntax
extract(regex, captureGroup, source [, typeLiteral])
Arguments
- regex: A regular expression.
- captureGroup: A positive
intconstant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parentheses. - source: A
stringto search. - typeLiteral: An optional type literal (e.g.,
typeof(long)). If provided, the extracted substring is converted to this type.
Returns
If regex finds a match in source: the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral.
If there's no match, or the type conversion fails: null.
Examples
The following example shws the extracted value of the cid using a CrowdStrike Falcon Insight data source
events
| project original_time, data_source_name, payload
//--- Search for the last 5 minutes of data
| where original_time > ago(5d)
//--- USER Criteria Here
| extend extracted_Value =extract("\"cid\":(.*?),", 1, payload, typeof(string))
| take 1
Note : payload partially shown.
Result
| original_time | data_source_name | payload | extracted_Value |
|---|---|---|---|
| 2023-08-19T23:29:32.321Z | CrowdStrike Falcon Insight | <12>...crowdstrike.falcon.insight.xdr {"cid": "56177c0a0d64485abf698b5018d95f6c",... | "56177c0a0d64485abf698b5018d95f6c" |