Azure Kusto - Use extract() on message field from traces

Question

I am using Azure Log Analytics as part of Azure Application Insights. I am trying to write some Kusto queries to parse some logging generated using the Application Insights Javascript SDK. Here are some sample messages:

"index.ts: imports: 1556.916ms"
"index.ts: imports: 110.486ms import { } from '@azure/keyvault-secrets'"
"index.ts: imports: 110.396ms import { } from '@azure/event-hubs'"
"index.ts: imports: 110.023ms import { } from 'applicationinsights'"
"index.ts: imports: 0.131ms import { } from '@azure/functions'"

In Log Analytics inside of Azure Application Insights, I am trying to extract out the file name from the message column using extract(). So far, my Kusto Query looks like:

traces
| where message contains "imports" 
| extend file = extract("^.+\.ts", 1, message)
| sort by timestamp desc
| limit 100

When I try running this query, I get an error stating:

Syntax Error

If issue persists, please open a support ticket.

Request id: 124e777f-136e-4a75-8fa7-a49483a12902

What am I missing and where is my error?

Answer 1

the issues in your query are:

1. you have a character (\) in your string that either requires escaping, or using a verbatim string literal. see more here: https://learn.microsoft.com/en-us/azure/kusto/query/scalar-data-types/string

2. you're missing a capture group in your regular expression.

if you fix those, this should work: | extend file = extract(@"^(.+)\.ts", 1, s)

however, and regardless, you could use the more efficient parse operator, as follows:

datatable(s:string)
[
    "index.ts: imports: 1556.916ms",
    "index.ts: imports: 110.486ms import { } from '@azure/keyvault-secrets'",
    "index.ts: imports: 110.396ms import { } from '@azure/event-hubs'",
    "index.ts: imports: 110.023ms import { } from 'applicationinsights'",
    "index.ts: imports: 0.131ms import { } from '@azure/functions'",
]
| parse s with file ".ts" *