Kusto - extract key value from the Kusto table result

Question

How do I extract a set of key value from Kusto Table result. I have a Data field (column in Kusto table) that has log details (15 lines with time stamp). Out of these 15 lines, the last 3 lines has a key value pair which I will need to use in the Query to filter and display results.

Do I use the below method can you give some examples

Extract values on column with strings sharing the same format or pattern -

Example Values from column are (last 3 lines from the Data section)

2021-09-05T06:42:19.2287304Z VMtype - C4
2021-09-05T06:42:19.2287304Z patchsizeMB - 2533```

I am trying with the below Query is this the right way of doing

```| parse Data with * "Virtual machine =" Virtual machine 
| parse Data with * "VMtype=" VMtype
| parse Data with * "patchsizeMB=" patchsizeMB```

Answer 1

The way that you implemented it is fine, easiest to understand, and maintain.

Here is a full example, where the results are returned in one row for each timestamp:

datatable(Data:string)["2021-09-05T06:42:19.2287304Z VMtype - C4",
                       "2021-09-05T06:42:19.2287304Z patchsizeMB - 2533",
                       "2021-09-05T06:42:19.2287304Z Virtual machine - VM_Name"]
| parse Data with Timestemp:datetime " " *
| parse Data with * "Virtual machine -" VirtualMachine 
| parse Data with * "VMtype -" VMtype
| parse Data with * "patchsizeMB -" patchsizeMB
| summarize take_any(VirtualMachine), take_any(VMtype), take_any(patchsizeMB) by bin(Timestemp, 1d)

Results:

Timestemp	VirtualMachine	VMtype	patchsizeMB
2021-09-05	VM_Name	C4	2533

You can also implement it by splitting the string into an array and working on the array to populate the appliable values but it is much more code and probably more fragile.