Jul 08 2019 03:08 PM
Jul 08 2019 03:08 PM
trying to execute:
Jul 08 2019 11:19 PM
Hi @Leon_K ,
I do not have those logs in a demo environment but executing the first query does not give me any syntax errors just 0 records. Can you give more details?
The second query you have posted truly give syntax error but that is because you are using '--' instead of '==' I would assume for filtering on requestUri_s.
Jul 09 2019 04:24 AM
Do you have those logs?
AzureDiagnostics | where Category startswith "ApplicationGateway" | summarize count() by Category
Jul 09 2019 08:42 AM
Jul 09 2019 08:53 AM
Jul 09 2019 09:26 AM
AzureDiagnostics | where ResourceProvider == "MICROSOFT.NETWORK" //and Category == "ApplicationGatewayFirewalllog" | where requestUri_s == "/" and action_s != "Blocked" | summarize count () by action_s, ruleId_s
I don't have that data, nor is it in the demo portal, but ruleId_s and action_s seem to work in this test query
Jul 09 2019 11:00 PMSolution
Now I get what is the error about. Some columns will not exist if there was no data for them at any point in time. The action_s column will appear in the schema only if at some point such data was ingested. At the time of ingestion that column will be created in the schema. Best way is configure your App GW to send diagnostic logs to Log Analytics and once data is ingested for that log the column would appear and you will not get errors. Of course Kusto is powerful language so you can do other things like if column do not exists put some default value and create it. I have answered that question here:
I will mark this reply as answer but if you need some guidance on diagnostic logs let me know.
Jul 10 2019 07:25 AM
@Leon_K Yes, certain columns are created only when first data for them arrives. Similar the way it is with custom logs via data ingestion api. Some columns are available out of the box but that is for example such that are common across all diagnostic logs like Category. The current schema for your workspace can be seen in Logs view.