ExtractParseParse-kv-Tabular

This is example from WPNinja Summit 2022 session "Throwing KQL like a shuriken". Presented by Gianni Castaldi and Alex Verboon 

// Oldschool extract with regex
let Table = datatable(ParseMe:string)
[
'fruit="Apples", color="Orange", packing="Bottle"',
'fruit="Bananas", color="Red", packing="Crate"',
'fruit="Pears", color="Green", packing="Box"',
'fruit="Cherries", color="Yellow", packing="Envelope"',
'fruit="Oranges", color="Blue", packing="Tube"'
];
Table
| extend fruit = extract('fruit="(\\w+)',1,ParseMe)
    , color = extract('color="(\\w+)',1,ParseMe)
    , packing =  extract('packing="(\\w+)',1,ParseMe)

// But extract is slow and regex is hard
let Table = datatable(ParseMe:string)
[
'fruit="Apples", color="Orange", packing="Bottle"',
'fruit="Bananas", color="Red", packing="Crate"',
'fruit="Pears", color="Green", packing="Box"',
'fruit="Cherries", color="Yellow", packing="Envelope"',
'fruit="Oranges", color="Blue", packing="Tube"'
];
Table
| parse ParseMe with 'fruit="' fruit '", color="' color '", packing="' packing

// So parse needs to be in the same order
let Table = datatable(ParseMe:string)
[
'fruit="Apples", color="Orange", packing="Bottle"',
'fruit="Bananas", color="Red", packing="Crate"',
'fruit="Pears", color="Green", packing="Box"',
'fruit="Cherries", color="Yellow", packing="Envelope"',
'fruit="Oranges", color="Blue", packing="Tube"'
];
Table
| parse-kv ParseMe as (
    fruit:string
    , color:string
    , packing:string
) with (pair_delimiter=',', kv_delimiter='=', quote='"')

// Now what if we mixup the keys?
let Table = datatable(ParseMe:string)
[
'fruit="Apples", color="Orange", packing="Bottle"',
'fruit="Bananas", color="Red", packing="Crate"',
'fruit="Pears", color="Green", packing="Box"',
'fruit="Cherries", color="Yellow", packing="Envelope"',
'fruit="Oranges", color="Blue", packing="Tube"'
];
Table
| parse-kv ParseMe as (
    packing:string
    , color:string
    , fruit:string
) with (pair_delimiter=',', kv_delimiter='=', quote='"')

// Tabular Function
let TableParser = (Table:(ParseMe:string)) {
    Table
    | parse-kv ParseMe as (
        fruit:string
        , color:string
        , packing:string
    ) with (pair_delimiter=',', kv_delimiter='=', quote='"')
    | project-away ParseMe
};
// Table
let Table = datatable(ParseMe:string)
[
'fruit="Apples", color="Orange", packing="Bottle"',
'fruit="Bananas", color="Red", packing="Crate"',
'fruit="Pears", color="Green", packing="Box"',
'fruit="Cherries", color="Yellow", packing="Envelope"',
'fruit="Oranges", color="Blue", packing="Tube"'
];
TableParser(Table)
PreviousscanNextdecode

Last updated