Forum Discussion
How to access Null fields in Parsers
Hi, Thanks for your response
Actually, the command column_ifexists(), will be implemented in the parsers, and it will be useful when we actually know the column name. In column_ifexists('column_name',''), it will check if the 'column_name' column is present or not, if not then null value will be added, But this is all possible when we actually know the 'column_name'.
And as Azure has removed the column with null field, so it has actually removed our access to the column_name, So how do we know then what to actually type in the 'column_name' name.
So is their any method in which, we don't allow azure to remove that column's with null fields.
Ronak_Shah Wouldn't the system that is sending the data have a list of the fields it is sending?
- Ronak_ShahAug 26, 2021Copper Contributor
Hi, Thanks for your response
Actually yes, the system that is sending the data have a list of the fields it is sending, But when we pass the data through API to the Azure sentinel, Azure while parsing the data, changes the field names.Like for eg. In our system we sent fields "name" --> then azure checked for the values of those fields
--> If the values are null for all the events, then that field is removed
--> If the field is not null, then that field is present in azure, with a new name say "name_s"
So our concern is, if the fields is removed by azure, how do we know whether that field will come with the name of "name_s" or "something_else"?,
so that we can then write column_ifexists('name_s','') or column_ifexists('something_else','')
- GaryBusheyAug 26, 2021Bronze Contributor
Ronak_Shah Because you are writing this yourself and it is going to a custom table, the fields have the data type appended to them (no idea why, personally I find that quite annoying). So you will know that a field being sent as "name" will come through as "name_s" if it is a string so you will be able to use column_ifexists('name_s','')