Forum Discussion
KQL error 'project' operator: Failed to resolve scalar expression named 'state'.
I am trying to create a simple use case based on the Signin logs for the "detection of singin from a single username from two different location".
Please find below the query:-
SigninLogs
| where TimeGenerated >= ago(24h) | evaluate bag_unpack(LocationDetails) | project Identity, state| summarize dcount(state) by Identity | where dcount_state >1
I am getting the error
'project' operator: Failed to resolve scalar expression named 'state'.
I tried to extract the locationDetails through extend command also but same results.
Please let me know the following:-
1) Are there any limits on the operations/usage on the dynamically extracted fields in Sentinel?
2) What limitaitons are there?
3) Please suggest a solution so that I can use the State field to get the required results.
2 Replies
- The above query works perfectly for me.
- Works for me as well. Have you tried this query again recently?
