ExtractParseParse-kv-Tabular

This is example from WPNinja Summit 2022 session "Throwing KQL like a shuriken". Presented by Gianni Castaldi and Alex Verboon

// Oldschool extract with regex
let Table = datatable(ParseMe:string)
[
'fruit="Apples", color="Orange", packing="Bottle"',
'fruit="Bananas", color="Red", packing="Crate"',
'fruit="Pears", color="Green", packing="Box"',
'fruit="Cherries", color="Yellow", packing="Envelope"',
'fruit="Oranges", color="Blue", packing="Tube"'
];
Table
| extend fruit = extract('fruit="(\\w+)',1,ParseMe)
    , color = extract('color="(\\w+)',1,ParseMe)
    , packing =  extract('packing="(\\w+)',1,ParseMe)

// But extract is slow and regex is hard
let Table = datatable(ParseMe:string)
[
'fruit="Apples", color="Orange", packing="Bottle"',
'fruit="Bananas", color="Red", packing="Crate"',
'fruit="Pears", color="Green", packing="Box"',
'fruit="Cherries", color="Yellow", packing="Envelope"',
'fruit="Oranges", color="Blue", packing="Tube"'
];
Table
| parse ParseMe with 'fruit="' fruit '", color="' color '", packing="' packing

// So parse needs to be in the same order
let Table = datatable(ParseMe:string)
[
'fruit="Apples", color="Orange", packing="Bottle"',
'fruit="Bananas", color="Red", packing="Crate"',
'fruit="Pears", color="Green", packing="Box"',
'fruit="Cherries", color="Yellow", packing="Envelope"',
'fruit="Oranges", color="Blue", packing="Tube"'
];
Table
| parse-kv ParseMe as (
    fruit:string
    , color:string
    , packing:string
) with (pair_delimiter=',', kv_delimiter='=', quote='"')

// Now what if we mixup the keys?
let Table = datatable(ParseMe:string)
[
'fruit="Apples", color="Orange", packing="Bottle"',
'fruit="Bananas", color="Red", packing="Crate"',
'fruit="Pears", color="Green", packing="Box"',
'fruit="Cherries", color="Yellow", packing="Envelope"',
'fruit="Oranges", color="Blue", packing="Tube"'
];
Table
| parse-kv ParseMe as (
    packing:string
    , color:string
    , fruit:string
) with (pair_delimiter=',', kv_delimiter='=', quote='"')

// Tabular Function
let TableParser = (Table:(ParseMe:string)) {
    Table
    | parse-kv ParseMe as (
        fruit:string
        , color:string
        , packing:string
    ) with (pair_delimiter=',', kv_delimiter='=', quote='"')
    | project-away ParseMe
};
// Table
let Table = datatable(ParseMe:string)
[
'fruit="Apples", color="Orange", packing="Bottle"',
'fruit="Bananas", color="Red", packing="Crate"',
'fruit="Pears", color="Green", packing="Box"',
'fruit="Cherries", color="Yellow", packing="Envelope"',
'fruit="Oranges", color="Blue", packing="Tube"'
];
TableParser(Table)

Previousscan Nextdecode

Last updated 2 years ago

// Oldschool extract with regex let Table = datatable(ParseMe:string) [ 'fruit="Apples", color="Orange", packing="Bottle"', 'fruit="Bananas", color="Red", packing="Crate"', 'fruit="Pears", color="Green", packing="Box"', 'fruit="Cherries", color="Yellow", packing="Envelope"', 'fruit="Oranges", color="Blue", packing="Tube"' ]; Table | extend fruit = extract('fruit="(\\w+)',1,ParseMe) , color = extract('color="(\\w+)',1,ParseMe) , packing = extract('packing="(\\w+)',1,ParseMe) // But extract is slow and regex is hard let Table = datatable(ParseMe:string) [ 'fruit="Apples", color="Orange", packing="Bottle"', 'fruit="Bananas", color="Red", packing="Crate"', 'fruit="Pears", color="Green", packing="Box"', 'fruit="Cherries", color="Yellow", packing="Envelope"', 'fruit="Oranges", color="Blue", packing="Tube"' ]; Table | parse ParseMe with 'fruit="' fruit '", color="' color '", packing="' packing // So parse needs to be in the same order let Table = datatable(ParseMe:string) [ 'fruit="Apples", color="Orange", packing="Bottle"', 'fruit="Bananas", color="Red", packing="Crate"', 'fruit="Pears", color="Green", packing="Box"', 'fruit="Cherries", color="Yellow", packing="Envelope"', 'fruit="Oranges", color="Blue", packing="Tube"' ]; Table | parse-kv ParseMe as ( fruit:string , color:string , packing:string ) with (pair_delimiter=',', kv_delimiter='=', quote='"') // Now what if we mixup the keys? let Table = datatable(ParseMe:string) [ 'fruit="Apples", color="Orange", packing="Bottle"', 'fruit="Bananas", color="Red", packing="Crate"', 'fruit="Pears", color="Green", packing="Box"', 'fruit="Cherries", color="Yellow", packing="Envelope"', 'fruit="Oranges", color="Blue", packing="Tube"' ]; Table | parse-kv ParseMe as ( packing:string , color:string , fruit:string ) with (pair_delimiter=',', kv_delimiter='=', quote='"') // Tabular Function let TableParser = (Table:(ParseMe:string)) { Table | parse-kv ParseMe as ( fruit:string , color:string , packing:string ) with (pair_delimiter=',', kv_delimiter='=', quote='"') | project-away ParseMe }; // Table let Table = datatable(ParseMe:string) [ 'fruit="Apples", color="Orange", packing="Bottle"', 'fruit="Bananas", color="Red", packing="Crate"', 'fruit="Pears", color="Green", packing="Box"', 'fruit="Cherries", color="Yellow", packing="Envelope"', 'fruit="Oranges", color="Blue", packing="Tube"' ]; TableParser(Table)