Forum Discussion

carliv's avatar
carliv
Copper Contributor
Apr 11, 2022

Sentinel Query Error: Failed to resolve table

Hey, for a couple of weeks now we can no longer query for CommonSecurityLog, just getting an error:

 

'order' operator: Failed to resolve table or column expression named 'CommonSecurityLog'

If issue persists, please open a support ticket.

 

Query:

CommonSecurityLog
| sort by TimeGenerated

 

I can run the same query in other tenants and I know it should work. Ms support have working on this for weeks, but we are getting nowhere.

 

I know the logs are beeing ingested, because incidents are triggered based on cef logs. We just cannot query them...

 

Any others seen similar errors?

  • GaryBushey's avatar
    GaryBushey
    Bronze Contributor
    Do you get the same error if you just double-click on "CommonSecurityLog" in the table listing and run that?
      • GaryBushey's avatar
        GaryBushey
        Bronze Contributor
        Expand the the "Microsoft Sentinel" group in the "Tables" listing to the left of where you enter your query and see if it shows up there. Double click on it and it should just paste the name into the query where you can run it and see what happens.

        Typically, if the table doesn't show up like you are showing it means there is no data in it. You can open the Log settings (gear icon in the upper right of the Logs area, NOT in the Azure header bar) and there is a setting to "Show tables with no data". You can enable that to see all the tables.

Resources