Forum Discussion
How to access Null fields in Parsers
Ronak_Shah Take a look at the KQL command column_ifexists() - Azure Data Explorer | Microsoft Docs
It will check to see if a column exists and, if it does, will return its value, otherwise return a default value
- Ronak_ShahAug 24, 2021Copper Contributor
Hi, Thanks for your response
Actually, the command column_ifexists(), will be implemented in the parsers, and it will be useful when we actually know the column name. In column_ifexists('column_name',''), it will check if the 'column_name' column is present or not, if not then null value will be added, But this is all possible when we actually know the 'column_name'.
And as Azure has removed the column with null field, so it has actually removed our access to the column_name, So how do we know then what to actually type in the 'column_name' name.
So is their any method in which, we don't allow azure to remove that column's with null fields.- GaryBusheyAug 24, 2021Bronze Contributor
Ronak_Shah Wouldn't the system that is sending the data have a list of the fields it is sending?
- Ronak_ShahAug 26, 2021Copper Contributor
Hi, Thanks for your response
Actually yes, the system that is sending the data have a list of the fields it is sending, But when we pass the data through API to the Azure sentinel, Azure while parsing the data, changes the field names.Like for eg. In our system we sent fields "name" --> then azure checked for the values of those fields
--> If the values are null for all the events, then that field is removed
--> If the field is not null, then that field is present in azure, with a new name say "name_s"
So our concern is, if the fields is removed by azure, how do we know whether that field will come with the name of "name_s" or "something_else"?,
so that we can then write column_ifexists('name_s','') or column_ifexists('something_else','')