Forum Discussion
KQL extend command does not seems to work in workbook
Hi all,
I have an issue with the extend command in a custom workboook.
The following KQL query parses Palo Alto Logs and to extract specific field (like PanOSSourceUserName, etc) and creating new column (same name).
CommonSecurityLog
| where DeviceProduct == "PAN-OS"
| where DeviceEventClassID == "GLOBALPROTECT"
| extend PanOSSourceUserName=extract("PanOSSourceUserName=([A-Z,a-z.]+@+[A-Z,a-z.]+)",0,AdditionalExtensions)
| extend PanOSSourceRegion=extract("PanOSSourceRegion=([A-Z,a-z.]+)",0,AdditionalExtensions)
| extend PanOSPublicIPv4=extract("PanOSPublicIPv4=([0-9.]+)",0,AdditionalExtensions)
| project-away ExtID, LogSeverity, Activity
When I run this KQL query again the log (Sentinel Dashboard-> General -> Logs), I got the expected result.
If I edit a Workbook (then Add query), and run the same KQL query, the new column (like PanOSSourceUserName, etc) are not created !
Is it normal ??
Any idea ?
Regards,
HA
- That wouldn't be normal, make sure your workbook query (when you add query) is set to the same workspace and also the right Time Generated range if you are using a parameter. Also try to | project PanOSSourceUserName in the workbook (as the final line, in case its hitting the displayed column limit?)
- That wouldn't be normal, make sure your workbook query (when you add query) is set to the same workspace and also the right Time Generated range if you are using a parameter. Also try to | project PanOSSourceUserName in the workbook (as the final line, in case its hitting the displayed column limit?)
- Hi Clive,
The keypoint here is the '| project PanOSSourceUserName' and other fields I want to see...
It works fine now !!
Again, many thanks for your help !!
Regards,
HA
