Dashboard
Account 🔐
Sign Up
Login
Global Leaderboard
Game Vault
Badge Backpack
Blue Team Glossary
Login and start playing
Leaving so soon?
×
You really want to log out? We were having so much fun!
Home
›
Glossary
›
Kusto
›
parse
Parse
Kusto
Definition
The `parse` operator in Kusto Query Language (KQL) extracts structured data from a string column using a specified pattern. It lets you define how parts of the text should be mapped into new columns, based on constant text and placeholders. This makes it useful for turning unstructured or semi-structured log data into usable fields for filtering, analysis, and visualization.
Explore More Terms
Windows-Event-Ids
Remote-Services-Exploitation
Take
Incident
Mv-Expand
Examples & Use Cases
``` | parse Message with "User: " User ", Action: " Action ``` If `Message` contains: User: Alice, Action: Login It will produce to 2 new columns (**User**, **Action**) on top of the existing table, where in this case: * User = Alice * Action = Login --- ### Parsing Multiple Fields ``` | parse Message with "IP=" IP " User=" User " Status=" Status ``` This extracts multiple values from a structured log message into separate columns. --- ### Using Wildcards You can use `*` to skip unwanted parts of the text: ``` | parse Message with * "Error: " ErrorMessage ``` This extracts everything after “Error:” into a new column. --- ### Typed Parsing You can specify data types while parsing: ``` | parse Message with "Age: " Age:int ", Name: " Name ``` This converts `Age` into an integer automatically. --- ### Why it matters Logs and telemetry data are often stored as raw text. Without parsing, it is difficult to filter, group, or analyze specific values. * Converts unstructured text into structured columns * Makes filtering and aggregation easier * Helps uncover insights hidden in log data However, `parse` relies on consistent patterns. If the format varies, extraction may fail or return null values. --- ## Further Reading - [Microsoft Learn - parse operator](https://learn.microsoft.com/en-us/kusto/query/parse-operator)
.png)
