Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: ✅ Azure Data Explorer ✅ Azure Monitor ✅ Microsoft Sentinel
Get a match for a regular expression from a source string.
Optionally, convert the extracted substring to the indicated type.
extract(regex, captureGroup, source [, typeLiteral])
Learn more about syntax conventions.
| Name | Type | Required | Description |
|---|---|---|---|
| regex | string |
✔️ | A regular expression. |
| captureGroup | int |
✔️ | The capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, and 2 or more for subsequent parentheses. |
| source | string |
✔️ | The string to search. |
| typeLiteral | string |
If provided, the extracted substring is converted to this type. For example, typeof(long). |
If regex finds a match in source: the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral.
If there's no match, or the type conversion fails: null.
The following query extracts the month from the string Dates and returns a table with the date string and the month.
let Dates = datatable(DateString: string)
[
"15-12-2024",
"21-07-2023",
"10-03-2022"
];
Dates
| extend Month = extract(@"-(\d{2})-", 1, DateString, typeof(int))
| project DateString, Month
Output
| DateString | Month |
|---|---|
| 15-12-2024 | 12 |
| 21-07-2023 | 7 |
| 10-03-2022 | 3 |
The following example returns the username from the string. The regular expression ([^,]+) matches the text following "User: " up to the next comma, effectively extracting the username.
let Text = "User: JohnDoe, Email: johndoe@example.com, Age: 29";
| print UserName = extract("User: ([^,]+)", 1, Text)
Output
| UserName |
|---|
| JohnDoe |