Azure Data Explorer ingest text Log Files with custom delimiter
I'm trying to use Azure Data Explorer to ingest some logs (IIS Logs, POP3 logs, IMAP logs) that contain values delimited by space.
I would have expected Azure Data Explorer to infer the correct schema from the files as separate columns, however it only identifies a single column with the entire data.
The reason for this seems to be the header and metadata rows, which I can't find a way to skip (would have thought there is a way to skip those).
However, even if I remove the metadata rows, manually, from the log file, it still doesn't seem to be able to recognize the schema for the table.
I have also tried to create the table before ingesting, using KQL queries, and instead of creating a new table, I ask the import to ingest into an already existing table. However, doing this, it doesn't identify any rows to be imported from the logs.
I'm not sure what exactly can be done, I thought Azure Data Explorer (and Log Explorer - tried that too, works the same) to be a perfect solution for log files created by Windows apps.
The documentation might have been a good start point.
It is very clear as to what are the supported formats for ingestion.
IIS Logs, POP3 logs & IMAP logs are not listed.
Data formats supported by Azure Data Explorer for ingestion
As to the TXT format, an entire line is ingested as a single value. No additional parsing there.
| Format | Extension | Description |
|---|---|---|
| TXT | .txt | A text file with lines delimited by \n. Empty lines are skipped. |
You could use the TXT format to load the data and then parse it and split it to columns, within ADX, probably by using REGEX.
- How to ingest inline into Azure Data Explorer Table from PowerShell?
- EventHubValidationErrorFound mapping does not exist
- KQL query to extend new column with other row values
- What is considered an ingestion request in Azure Data Explorer?
- Kql function to append columns
- Kibana Query for Message that contains ":"
- Get Azure VM creation date
- How good is performance of "has" operator in Kusto when RHS is not exactly one term?
- Stuck at PIM Diagnostics via KQL
- union with all fields
- How to create an Alert for Data Collection Rule deletion across all VMs in a subscription?
- Are joins within the same cluster consistent and isolated in Azure Data Explore?
- Is it possible to change the day returned from startofweek() and endofweek()?
- How to run Get Kusto query using Rest API
- KQL: bag unpack json into single row
- ADX - KQL: Conditionally Extending Property Columns from Dynamic Column
- Where is Update Policy failure logged
- Need suggestion to implement restrictive permissions to Kusto Tables and Functions
- How to do a KQL time window join at millisecond granularity?
- Kusto Query replace the timestamp of duplicate rows
- Using Kusto scan operator to capture sequential pairs that meets criteria
- KQL Query for Calculation of ErrorDuration within Timespan
- Add text to point(s) in Kusto linechart
- Kusto query with multiple sample values from an aggregate
- How to get data for specific date (startofweek) in a given time range in KQL?
- Defining external table kind as delta
- Kusto query map through array
- java.io.UncheckedIOException: io.netty.channel.StacklessClosedChannelException while writing to adx
- KQL: Every time a word is mentioned in a column append it to a new column as a list
- KQL: Create an id column every time a value changes in column x ordered by another column y