I have a couple of Custom Logs in Log-Analytics. I want to parse columns of one log using columns from another log. Using join I can get to the stage where all the data is in a single table. Like:
| Label | Data |
|---|---|
| First | First=abc , Second=def , Third= ghi |
| Second | First=abc , Second=def , Third= ghi |
I want another column with the respective data mapped like:
| Label | Data | Value |
|---|---|---|
| First | First=abc , Second=def , Third= ghi | abc |
| Second | First=abc , Second=def , Third= ghi | def |
Is there a way I can parse this. I have tried using the KQL's parse function and regex. But they only work to parse fixed statements. Here the Value is not fixed. Any tips?
datatable(label:string, data:string) [
'First', 'First=abc , Second=def , Third=ghi',
'Second', 'First=abc , Second=def , Third= ghi',
'Third', 'First=abc , Second=def , Third= ghi'
]
| project label, data = split(data, ',')
| mv-expand bagexpansion=array data to typeof(string)
| project label, data = split(data, '=')
| where label == trim(' ', tostring(data[0]))
| project label, value = trim(' ', tostring(data[1]))