Skip to content

The issue of Log Analytics column names and spaces

Today it’s time for a rather short blog post on an issue I ran into for which I couldn’t find anything online.

The issue

I have been working with the Sentinel API to create watchlists lately. During my endeavors, I ran into an issue when trying to use some of the columns of my watchlist. When I tried to extend any column beside the first one, I received the following error:

The exact error ‘Failed to resolve scalar expression named ‘Ranges” doesn’t say much. It would seem like the column doesn’t exist. Running the getschema command showed that the column was valid and I was using the correct name.

The solution

I ended up reaching out to a Sentinel PM who was able to help me out. I was using the following Powershell code inside of my script to generate the watchlist:

$CSVContent = "Name,  Ranges\r\n"

You might notice that there is a space before the word Ranges. It turns out that the watchlists API for Sentinel supports spaces, but it doesn’t show them clearly in the portal.

In order to get things working, you need to query the column with the space included in the name. This can be done as follows:

_GetWatchlist(‘MSIPSFinalv10’)| extend test=[‘ Ranges’] 

With this KQL query, I was able to retrieve the data just fine.

The trick is just knowing that you really need to be careful with spaces. I would recommend not including spaces into the names of your columns as this can cause a lot of confusion within your team.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

<span>%d</span> bloggers like this: