// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
let nginx_accesslog_events =() {
NGINX_CL
| where RawData matches regex @'(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*\[.*\]\s\"(GET|POST).*?\"\s([1-5][0-9]{2})\s(\d+)\s\"(.*?)\"\s\"(.*?)\".*'
| extend EventProduct = 'NGINX'
| extend EventType = 'AccessLog'
| extend EventData = split(RawData, '"')
| extend SubEventData0 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[0])))), ' ')
| extend SubEventData1 = split(EventData[1], ' ')
| extend SubEventData2 = split(trim_start(@' ', (trim_end(@' ', tostring(EventData[2])))), ' ')
| extend SrcIpAddr = tostring(SubEventData0[0])
| extend SrcUserName = SubEventData0[2]
| extend EventStartTime = todatetime(replace(@'\/', @'-', replace(@'(\d{2}\/\w{3}\/\d{4}):(\d{2}\:\d{2}\:\d{2})', @'\1 \2', extract(@'\[(.*?)\+\d+\]', 1, RawData))))
| extend HttpRequestMethod = SubEventData1[0]
| extend UrlOriginal = SubEventData1[1]
| extend HttpVersion = SubEventData1[2]
| extend HttpStatusCode = SubEventData2[0]
| extend HttpResponseBodyBytes = SubEventData2[1]
| extend HttpReferrerOriginal = EventData[3]
| extend HttpUserAgentOriginal = EventData[5]
};
let nginx_errorlog_events=() {
NGINX_CL
| where RawData matches regex @'\A\d{4}\/\d{2}\/\d{2}\s+\d{2}\:\d{2}\:\d{2}\s+\[.*?\]\s\d+\#\d+\:'
| extend EventProduct = 'NGINX'
| extend EventType = 'ErrorLog'
| extend EventType = 'ErrorLog'
| extend EventSeverity = extract(@'\[(.*?)\]', 1, RawData)
| extend EventStartTime = todatetime(replace(@'\/', '-', extract(@'\A(.*?)\s\[', 1, RawData)))
| extend SrcIpAddr = extract(@'client: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, RawData)
| extend ProcessId = extract(@'\]\s(\d+)\#', 1, RawData)
| extend ThreadId = extract(@'\]\s\d+\#(\d+)\:', 1, RawData)
| extend EventMessage = extract(@'\d+\#\d+\:\s(.*)', 1, RawData)
};
union isfuzzy=true nginx_accesslog_events, nginx_errorlog_events
| project TimeGenerated
        , EventProduct
        , EventType
        , EventSeverity
        , EventStartTime
        , SrcIpAddr
        , SrcUserName
        , HttpRequestMethod
        , UrlOriginal
        , HttpVersion
        , HttpStatusCode
        , HttpResponseBodyBytes
        , HttpReferrerOriginal
        , HttpUserAgentOriginal
        , ProcessId
        , ThreadId
        , EventMessage