KQL Query. Arrange the Columns.

%3CLINGO-SUB%20id%3D%22lingo-sub-1581100%22%20slang%3D%22en-US%22%3EKQL%20Query.%20Arrange%20the%20Columns.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1581100%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20running%20the%20below%20query%20and%20want%20to%20rearrange%20the%20result%20columns.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EConfigurationData%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20ConfigDataType%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E%22WindowsServices%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20(SvcName%20%3C%2FSPAN%3E%3CSPAN%3Econtains%3C%2FSPAN%3E%20%3CSPAN%3E%22MSSQL%22%3C%2FSPAN%3E%3CSPAN%3E)%20%3C%2FSPAN%3E%3CSPAN%3Eor%3C%2FSPAN%3E%3CSPAN%3E%20(SvcName%20%3C%2FSPAN%3E%3CSPAN%3Econtains%3C%2FSPAN%3E%20%3CSPAN%3E%22MSSQLFDLauncher%22%3C%2FSPAN%3E%3CSPAN%3E)%20%3C%2FSPAN%3E%3CSPAN%3Eor%3C%2FSPAN%3E%3CSPAN%3E%20(SvcName%20%3C%2FSPAN%3E%3CSPAN%3Econtains%3C%2FSPAN%3E%20%3CSPAN%3E%22SQLAgent%22%3C%2FSPAN%3E%3CSPAN%3E)%20%3C%2FSPAN%3E%3CSPAN%3Eor%3C%2FSPAN%3E%3CSPAN%3E%20(SvcName%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E%22SQLBrowser%22%3C%2FSPAN%3E%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20SvcState%20!%3D%20%3C%2FSPAN%3E%3CSPAN%3E%22Running%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20SvcStartupType%20!%3D%20%3C%2FSPAN%3E%3CSPAN%3E%22Disabled%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Esummarize%3C%2FSPAN%3E%3CSPAN%3E%20arg_max(TimeGenerated%2C%20*)%20%3C%2FSPAN%3E%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3E%20Computer%2C%20SvcDisplayName%20%2C%20SvcName%2C%20SvcState%2C%20SvcStartupType%2C%20SvcPath%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Eproject%3C%2FSPAN%3E%3CSPAN%3E%20Computer%2C%20TimeGenerated%2C%20SvcDisplayName%20%2C%20SvcName%2C%20SvcState%2C%20SvcStartupType%2C%20SvcPath%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSTRONG%3EDespite%20using%20the%20%22Project%22%2C%26nbsp%3B%20%22Project-reorder%22%26nbsp%3B%20I%20am%20unable%20to%20arrange%20column%20of%20%22TimeGenerated%22.%20In%20result%20section%20%22TimeGenerated%22%20appear%20as%20first%20column.%20However%2C%20I%20want%20to%20put%20it%20as%20second%20column.%26nbsp%3B%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EPS%20%3A%20We%20are%20using%20this%20query%20in%20alert%20rules%20and%20using%20alert%20JSON%20to%20do%20further%20automation.%20So%20we%20are%20kind%20of%20rigid%20in%20placing%20column%20position.%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Consultant1520_0-1597150575894.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F211758iE1BF3669471DA15B%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Consultant1520_0-1597150575894.png%22%20alt%3D%22Consultant1520_0-1597150575894.png%22%20%2F%3E%3C%2FSPAN%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1586317%22%20slang%3D%22en-US%22%3ERe%3A%20KQL%20Query.%20Arrange%20the%20Columns.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1586317%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F252357%22%20target%3D%22_blank%22%3E%40Consultant1520%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3EThis%20issue%20is%20known%20to%20us%20and%20we%20have%20it%20in%20our%20backlog%20to%20fix%20it.%3C%2FP%3E%0A%3CP%3EAt%20this%20point%20in%20time%2C%20I%20can't%20commit%20to%20a%20timeline%20as%20the%20fix%20is%20dependent%20on%20other%20backlog%20items%20we%20are%20currently%20working%20on.%3C%2FP%3E%0A%3CP%3EPlease%20note%20that%20you%20can%20drag%20and%20drop%20columns%20in%20the%20result%20set%20area%20to%20control%20how%20they%20are%20arranged.%3C%2FP%3E%0A%3CP%3EThanks!%3C%2FP%3E%0A%3CP%3ER%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I am running the below query and want to rearrange the result columns. 

 

ConfigurationData
| where ConfigDataType == "WindowsServices"
| where (SvcName contains "MSSQL") or (SvcName contains "MSSQLFDLauncher") or (SvcName contains "SQLAgent") or (SvcName == "SQLBrowser")
| where SvcState != "Running"
| where SvcStartupType != "Disabled"
| summarize arg_max(TimeGenerated, *) by Computer, SvcDisplayName , SvcName, SvcState, SvcStartupType, SvcPath
| project Computer, TimeGenerated, SvcDisplayName , SvcName, SvcState, SvcStartupType, SvcPath
 
 
Despite using the "Project",  "Project-reorder"  I am unable to arrange column of "TimeGenerated". In result section "TimeGenerated" appear as first column. However, I want to put it as second column. 
 
PS : We are using this query in alert rules and using alert JSON to do further automation. So we are kind of rigid in placing column position. 
 
Consultant1520_0-1597150575894.png

 

1 Reply

Hi @Consultant1520 ,

This issue is known to us and we have it in our backlog to fix it.

At this point in time, I can't commit to a timeline as the fix is dependent on other backlog items we are currently working on.

Please note that you can drag and drop columns in the result set area to control how they are arranged.

Thanks!

R