Azure Log Analytics: Using the Parse operator

  • Article

Updated: to include some screenshots (as thus wasn’t working the other day)

Today I had to look at getting some data from SecurityEvent.  This is using the new Log Analytics query language and the Advanced Analytics portal.

I was looking at EventID: 5061, but you can use any EventID you like, e.g.

SecurityEvent
| where EventID == 5061

image

This returns all the normal fields such as Computer, TimeGenerated, EventID, and EventData etc..  It was the EVENTDATA I was interested in:

SecurityEvent

| where EventID == 5061

| project TimeGenerated, Computer, EventData, EventID

There were quite a lot of Events so I also used the Limit command to get 10 results to speed up the work, this is a best practise, which makes the query look like this:

SecurityEvent

| where EventID == 5061

| project TimeGenerated, Computer, EventData, EventID

| limit 10

image

What I really wanted was a piece of data in the EventData, for that I used the parse command.  The syntax examples are a little light on parse hence me writing this post to give another common example.  Please take a look at Parse for full syntax help in the Language Reference:  https://docs.loganalytics.io/docs/Language-Reference/Tabular-operators/parse-operator

EventData contains a lot of info (this is a shortened paste)

<EventData xmlns="https://schemas.microsoft.com/win/2004/08/events/event"> <Data Name="SubjectUserSid">S-1-5-19</Data> <Data Name="SubjectUserName">LOCAL SERVICE</Data>

The data I wanted was after "SubjectUserName" and contained between the ">" and "<" symbols.

There wasn't a like for like example in the help for this so after a little trial and error I got to this (from an example I'd seen elsewhere, apologies but I cant remember where now!):

SecurityEvent

| where EventID == 5061

| project TimeGenerated, Computer, EventData, EventID

| limit 10
|
parse EventData with * "SubjectUserName" SubjectUserNameValue " " *

This sort of worked but the new table I created "SubjectUserNameValue" had these results ">LOCAL, it was stopping at the space between LOCAL and SERVICE, and I wanted the full value of "LOCAL SERVICE"

Changing the last line to this allowed me to search until the "<" character was detected.

| parse EventData with * "SubjectUserName" SubjectUserNameValue "<" *

However the result still contained a leading " and > symbol.

">LOCAL SERVICE

You need to wrap the SubjectUserName (in my example) in single quotes if you wish to include the removal of symbols e.g.

| parse EventData with * ' "SubjectUserName"> ' SubjectUserName '<' *

So the final syntax is:

SecurityEvent

| where EventID == 5061

| project TimeGenerated, Computer, EventData, EventID

| parse EventData with * '"SubjectUserName">' SubjectUserName '<' *

| where isnotempty (SubjectUserName)

| project SubjectUserName

image

Note: I had removed the Limit and also added a check to only display non empty values (isnotempty); if you have lots of data you might want to look at Limit, Top or Take to reduce the results returned.