Trying to parse the below string from Azure WAF logs.
Matched Data: \x22:\x22SURVEY_0001\x22,\x22e found within REQUEST_COOKIES:cspSurvey: {\x22surveyId\x22:\x22SURVEY_0001\x22,\x22exit\x22:1}
I want to return the cookie name, which is after REQUEST_COOKIES: and the cookie value which is after the cookie name (cspSurvey in this example)
I tried this ugly code, but the array index of the cookie name is not always the same.
| extend cookie_value = split(details_data_s, ' ')[-1]
| extend cookie = split(split(details_data_s, ' ')[-2],':')[1]
Below is my fully query
AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS"
| where OperationName == "ApplicationGatewayFirewall"
| where details_data_s contains "cookie"
| extend cookie_value = split(details_data_s, ' ')[-1]
| extend cookie = split(split(details_data_s, ' ')[-2],':')[1]
| project clientIp_s, requestUri_s, ruleGroup_s, details_data_s, cookie, cookie_value