runHuntingQuery API and 'evaluate pivot'

Hey Tim4​ ,

The likely culprit is pivot's data-dependent output schema. Microsoft's pivot plugin docs flag it as "not recommended for automation jobs without specifying the OutputSchema function." When the API can't resolve a column set that depends on the data, you get a generic failure. UnknownError with an empty message is documented as a catchall on the hunting API, so the error alone doesn't confirm plugin rejection. The symptom is consistent with the pivot automation caveat.

Two options to try:

Option 1: Add an explicit OutputSchema to your pivot call. If you can enumerate the Status values up front, this is the lowest-effort fix.

SomeTable

| evaluate pivot(Status, sum(Count), OutputSchema=(Category:string, Approved:long, Denied:long, Pending:long))

Option 2: Drop pivot and shape consumer-side. Return long-form rows:

SomeTable

| summarize Count = count() by Category, Status

In Power Apps, group by Category and use AddColumns / LookUp (or Collect + GroupBy) to spread Status values into columns. If you want every Status as a guaranteed column even when the count is zero, generate the full grid with range and a cross join before the summarize.

If neither resolves it, worth opening a support case. The advanced hunting errors doc treats persistent UnknownError as a signal to escalate.

References:

pivot plugin: https://learn.microsoft.com/en-us/kusto/query/pivot-plugin

Advanced hunting errors: https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-errors