extract()
Applies to: ✅ Azure Data Explorer ✅ Azure Monitor ✅ Microsoft Sentinel
Get a match for a regular expression from a source string.
Optionally, convert the extracted substring to the indicated type.
Syntax
extract(
regex,
captureGroup,
source [,
typeLiteral])
Learn more about syntax conventions.
Parameters
Name | Type | Required | Description |
---|---|---|---|
regex | string |
✔️ | A regular expression. |
captureGroup | int |
✔️ | The capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, and 2 or more for subsequent parentheses. |
source | string |
✔️ | The string to search. |
typeLiteral | string |
If provided, the extracted substring is converted to this type. For example, typeof(long) . |
Returns
If regex finds a match in source: the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral.
If there's no match, or the type conversion fails: null
.
Examples
Extract month from datetime string
The following query extracts the month from the string Dates
and returns a table with the date string and the month.
let Dates = datatable(DateString: string)
[
"15-12-2024",
"21-07-2023",
"10-03-2022"
];
Dates
| extend Month = extract(@"-(\d{2})-", 1, DateString, typeof(int))
| project DateString, Month
Output
DateString | Month |
---|---|
15-12-2024 | 12 |
21-07-2023 | 7 |
10-03-2022 | 3 |
Extract username from a string
The following example returns the username from the string. The regular expression ([^,]+)
matches the text following "User: " up to the next comma, effectively extracting the username.
let Text = "User: JohnDoe, Email: johndoe@example.com, Age: 29";
| print UserName = extract("User: ([^,]+)", 1, Text)
Output
UserName |
---|
JohnDoe |