1

尝试从 Azure WAF 日志中解析以下字符串。

Matched Data: \x22:\x22SURVEY_0001\x22,\x22e found within REQUEST_COOKIES:cspSurvey: {\x22surveyId\x22:\x22SURVEY_0001\x22,\x22exit\x22:1}

我想返回在 REQUEST_COOKIES: 之后的 cookie 名称和在 cookie 名称之后的 cookie 值(本例中为 cspSurvey)

我试过这个丑陋的代码,但是cookie名称的数组索引并不总是一样的。

| extend cookie_value  = split(details_data_s, ' ')[-1]
| extend cookie = split(split(details_data_s, ' ')[-2],':')[1]

以下是我的完整查询

AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS"
| where OperationName == "ApplicationGatewayFirewall"
| where details_data_s contains "cookie"
| extend cookie_value  = split(details_data_s, ' ')[-1]
| extend cookie = split(split(details_data_s, ' ')[-2],':')[1]
| project clientIp_s, requestUri_s, ruleGroup_s, details_data_s, cookie, cookie_value
4

1 回答 1

0

您可以尝试使用parse运算符:https ://docs.microsoft.com/en-us/azure/kusto/query/parseoperator

print value = 'Matched Data: \x22:\x22SURVEY_0001\x22,\x22e found within REQUEST_COOKIES:cspSurvey: {\x22surveyId\x22:\x22SURVEY_0001\x22,\x22exit\x22:1}'
| parse value with * "REQUEST_COOKIES:" cookie_name ": " cookie_value:dynamic
于 2019-05-21T00:33:01.303 回答