Forum Discussion
runHuntingQuery API and 'evaluate pivot'
Seem to have a problem where any request to the runHuntingQuery API with 'evaluate pivot' fails with
error": {
"code": "UnknownError",
"message": "",
Is this just a 'feature' ? The query happily runs trough the website/XDR portal. :-(
Is there a way to simulate a pivot (easily) in powerapps ?
1 Reply
Hey Tim4 ,
The likely culprit is pivot's data-dependent output schema. Microsoft's pivot plugin docs flag it as "not recommended for automation jobs without specifying the OutputSchema function." When the API can't resolve a column set that depends on the data, you get a generic failure. UnknownError with an empty message is documented as a catchall on the hunting API, so the error alone doesn't confirm plugin rejection. The symptom is consistent with the pivot automation caveat.
Two options to try:
Option 1: Add an explicit OutputSchema to your pivot call. If you can enumerate the Status values up front, this is the lowest-effort fix.
SomeTable
| evaluate pivot(Status, sum(Count), OutputSchema=(Category:string, Approved:long, Denied:long, Pending:long))
Option 2: Drop pivot and shape consumer-side. Return long-form rows:
SomeTable
| summarize Count = count() by Category, Status
In Power Apps, group by Category and use AddColumns / LookUp (or Collect + GroupBy) to spread Status values into columns. If you want every Status as a guaranteed column even when the count is zero, generate the full grid with range and a cross join before the summarize.
If neither resolves it, worth opening a support case. The advanced hunting errors doc treats persistent UnknownError as a signal to escalate.
References:
pivot plugin: https://learn.microsoft.com/en-us/kusto/query/pivot-plugin
Advanced hunting errors: https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-errors
