Azure Log Analytics 解析 WAF 数据（一般为字符串数据）

Question

正在尝试从 Azure WAF 日志中解析以下字符串。

Matched Data: \x22:\x22SURVEY_0001\x22,\x22e found within REQUEST_COOKIES:cspSurvey: {\x22surveyId\x22:\x22SURVEY_0001\x22,\x22exit\x22:1}

我想要 return REQUEST_COOKIES 之后的 cookie 名称：以及 cookie 名称之后的 cookie 值（本例中为 cspSurvey）

我试过这个丑陋的代码，但是 cookie 名称的数组索引并不总是相同的。

| extend cookie_value  = split(details_data_s, ' ')[-1]
| extend cookie = split(split(details_data_s, ' ')[-2],':')[1]

以下是我的完整查询

AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS"
| where OperationName == "ApplicationGatewayFirewall"
| where details_data_s contains "cookie"
| extend cookie_value  = split(details_data_s, ' ')[-1]
| extend cookie = split(split(details_data_s, ' ')[-2],':')[1]
| project clientIp_s, requestUri_s, ruleGroup_s, details_data_s, cookie, cookie_value

Answer 1

您可以尝试使用 parse 运算符：https://docs.microsoft.com/en-us/azure/kusto/query/parseoperator

print value = 'Matched Data: \x22:\x22SURVEY_0001\x22,\x22e found within REQUEST_COOKIES:cspSurvey: {\x22surveyId\x22:\x22SURVEY_0001\x22,\x22exit\x22:1}'
| parse value with * "REQUEST_COOKIES:" cookie_name ": " cookie_value:dynamic