尝试从 Azure WAF 日志中解析以下字符串。
Matched Data: \x22:\x22SURVEY_0001\x22,\x22e found within REQUEST_COOKIES:cspSurvey: {\x22surveyId\x22:\x22SURVEY_0001\x22,\x22exit\x22:1}
我想返回在 REQUEST_COOKIES: 之后的 cookie 名称和在 cookie 名称之后的 cookie 值(本例中为 cspSurvey)
我试过这个丑陋的代码,但是cookie名称的数组索引并不总是一样的。
| extend cookie_value = split(details_data_s, ' ')[-1]
| extend cookie = split(split(details_data_s, ' ')[-2],':')[1]
以下是我的完整查询
AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS"
| where OperationName == "ApplicationGatewayFirewall"
| where details_data_s contains "cookie"
| extend cookie_value = split(details_data_s, ' ')[-1]
| extend cookie = split(split(details_data_s, ' ')[-2],':')[1]
| project clientIp_s, requestUri_s, ruleGroup_s, details_data_s, cookie, cookie_value