extract()

Applies to: ✅ Azure Data ExplorerAzure MonitorMicrosoft Sentinel

Get a match for a regular expression from a source string.

Optionally, convert the extracted substring to the indicated type.

Syntax

extract(regex, captureGroup, source [, typeLiteral])

Learn more about syntax conventions.

Parameters

Name Type Required Description
regex string ✔️ A regular expression.
captureGroup int ✔️ The capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, and 2 or more for subsequent parentheses.
source string ✔️ The string to search.
typeLiteral string If provided, the extracted substring is converted to this type. For example, typeof(long).

Returns

If regex finds a match in source: the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral.

If there's no match, or the type conversion fails: null.

Examples

Extract month from datetime string

The following query extracts the month from the string Dates and returns a table with the date string and the month.

let Dates = datatable(DateString: string)
[
    "15-12-2024",
    "21-07-2023",
    "10-03-2022"
];
Dates
| extend Month = extract(@"-(\d{2})-", 1, DateString, typeof(int))
| project DateString, Month

Output

DateString Month
15-12-2024 12
21-07-2023 7
10-03-2022 3

Extract username from a string

The following example returns the username from the string. The regular expression ([^,]+) matches the text following "User: " up to the next comma, effectively extracting the username.

let Text = "User: JohnDoe, Email: johndoe@example.com, Age: 29";
| print UserName = extract("User: ([^,]+)", 1, Text)

Output

UserName
JohnDoe