SOLVED

Query could not be parsed at 'SecurityEvent' on line.....

%3CLINGO-SUB%20id%3D%22lingo-sub-1058794%22%20slang%3D%22en-US%22%3EQuery%20could%20not%20be%20parsed%20at%20'SecurityEvent'%20on%20line.....%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1058794%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20upgraded%20to%20the%20%3CSTRONG%3Estandard%20tier%3C%2FSTRONG%3E%2C%20but%20this%20still%20isn't%20working.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EI%20can%20query%20events%2C%20but%20if%20I%20use%20any%20queries%20that%20involve%20SecurityEvent%20it%20doesn't%20work.%20Basically%20I'm%20trying%20to%20follow%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fpixelrobots.co.uk%2F2019%2F07%2Fquery-active-directory-security-events-using-azure-log-analytics-on-the-cheap%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fpixelrobots.co.uk%2F2019%2F07%2Fquery-active-directory-security-events-using-azure-log-analytics-on-the-cheap%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F160953iA484F241554BED58%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22query-securiytevent.jpg%22%20title%3D%22query-securiytevent.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1058794%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECustom%20Logs%20and%20Custom%20Fields%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1059748%22%20slang%3D%22en-US%22%3ERe%3A%20Query%20could%20not%20be%20parsed%20at%20'SecurityEvent'%20on%20line.....%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1059748%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F314452%22%20target%3D%22_blank%22%3E%40natv%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThat%20error%20is%20saying%20that%20the%20SecurityEvent%20table%20doesn't%20(yet)%20exist%20-%20there%20could%20be%20a%20delay%2C%20so%20please%20try%20again%20today.%26nbsp%3B%20You%20need%20to%20confirm%20in%20ASC%20that%20you%20are%20sending%20the%20data%20to%20the%20correct%20Log%20Analytics%20workspace%2C%20either%20a%20%3CEM%3Enamed%3C%2FEM%3E%20one%20(like%20below)%20or%20a%20%3CEM%3Edefault%3C%2FEM%3E%20one%20(there%20maybe%20a%20few)%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F161062iB40C051E747F05A8%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1060741%22%20slang%3D%22en-US%22%3ERe%3A%20Query%20could%20not%20be%20parsed%20at%20'SecurityEvent'%20on%20line.....%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1060741%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%20thanks%2C%20it%20magically%20started%20working%20the%20next%20day.%20Then%20stopped%20working%20after%20I%20added%20a%20few%20more%20servers%20for%20a%20period%20of%20time%2C%20and%20started%20all%20working%20again%20sometime%20after.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20good%20now.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

We upgraded to the standard tier, but this still isn't working.


I can query events, but if I use any queries that involve SecurityEvent it doesn't work. Basically I'm trying to follow this:

 

https://pixelrobots.co.uk/2019/07/query-active-directory-security-events-using-azure-log-analytics-o...

 

 

query-securiytevent.jpg

2 Replies
Best Response confirmed by natv (New Contributor)
Solution

@natv 

That error is saying that the SecurityEvent table doesn't (yet) exist - there could be a delay, so please try again today.  You need to confirm in ASC that you are sending the data to the correct Log Analytics workspace, either a named one (like below) or a default one (there maybe a few)?

 

clipboard_image_0.png

@Clive Watson  thanks, it magically started working the next day. Then stopped working after I added a few more servers for a period of time, and started all working again sometime after.

 

All good now.