cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

'summarize' operator: Failed to resolve scalar expression named 'TimeGenerated'

%3CLINGO-SUB%20id%3D%22lingo-sub-3366507%22%20slang%3D%22en-US%22%3E'summarize'%20operator%3A%20Failed%20to%20resolve%20scalar%20expression%20named%20'TimeGenerated'%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3366507%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Everyone%2C%3C%2FP%3E%3CP%3EI%20am%20struggling%20to%20define%20time%20within%20query%20for%20workbook.%20My%20kql%20is%20represent%2010%20deny%20action%20followed%20by%201%20allow%20connection%20with%20same%20external%20source%20IP%20to%20private%20destination%20IP%20with%20in%20300%20second.%20First%20deny%20connection%20should%20be%20Start%20time%20and%20first%20allow%20connection%20should%20be%20end%20time.%20Source%20IP%20should%20be%20summarize%20so%20we%20can%20check%20how%20many%20external%20source%20ip%20successed%20to%20make%20connection%20with%20in%2024%20hours%20or%2048%20hours.%20Please%20some%20one%20help%20me%20to%20get%20proper%20result%20for%20workbook.%20when%20i%20am%20running%20this%20query%20below%20notification%20occurs%3A%3C%2FP%3E%3CP%3E'summarize'%20operator%3A%20Failed%20to%20resolve%20scalar%20expression%20named%20'TimeGenerated'%3C%2FP%3E%3CP%3Elet%20threshold%3D10%3B%3CBR%20%2F%3Elet%20threshold1%3D1%3B%3CBR%20%2F%3Elet%20authenticationWindow%20%3D%205m%3B%3CBR%20%2F%3Elet%20a%3D%3CBR%20%2F%3ECommonSecurityLog%3CBR%20%2F%3E%7C%20where%20DeviceVendor%20%3D%3D%20%22Palo%20Alto%20Networks%22%20and%20DeviceProduct%20%3D~%20%22PAN-OS%22%3CBR%20%2F%3E%7C%20where%20DeviceAction%20%3D%3D%20%22deny%22%3CBR%20%2F%3E%7C%20where%20(ipv4_is_private(SourceIP)%20%3D%3D%20'False'%20and%20ipv4_is_private(DestinationIP)%20%3D%3D%20'True')%3CBR%20%2F%3E%7C%20summarize%20denycount%20%3D%20count()%20by%20DeviceAction%2C%20SourceIP%2C%20DestinationIP%3CBR%20%2F%3E%7C%20where%20denycount%20%26gt%3B%3D%20%5B%22threshold%22%5D%3B%3CBR%20%2F%3Elet%20b%3D%3CBR%20%2F%3ECommonSecurityLog%3CBR%20%2F%3E%7C%20where%20DeviceVendor%20%3D%3D%20%22Palo%20Alto%20Networks%22%20and%20DeviceProduct%20%3D~%20%22PAN-OS%22%3CBR%20%2F%3E%7C%20where%20DeviceAction%20%3D%3D%20%22allow%22%3CBR%20%2F%3E%7C%20where%20(ipv4_is_private(SourceIP)%20%3D%3D%20'False'%20and%20ipv4_is_private(DestinationIP)%20%3D%3D%20'True')%3CBR%20%2F%3E%7C%20summarize%20allowcount%20%3D%20count()%20by%20DeviceAction%2C%20SourceIP%2C%20DestinationIP%3CBR%20%2F%3E%7C%20where%20allowcount%20%26gt%3B%3D%20%5B%22threshold1%22%5D%3B%3CBR%20%2F%3Ea%7Cjoin%20kind%20%3D%20inner(b)%20on%20SourceIP%3CBR%20%2F%3E%7C%20summarize%20StartTimeUtc%20%3D%20min(TimeGenerated)%2C%20EndTimeUtc%20%3D%20max(TimeGenerated)%20by%20bin(TimeGenerated%2C%20authenticationWindow)%2C%20SourceIP%2C%20DestinationIP%2C%20denycount%2C%20allowcount%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3369915%22%20slang%3D%22en-US%22%3ERe%3A%20'summarize'%20operator%3A%20Failed%20to%20resolve%20scalar%20expression%20named%20'TimeGenerated'%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3369915%22%20slang%3D%22en-US%22%3EYou%20haven't%20used%20that%20Column%20before%20in%20the%20code%20above%2C%20so%20the%20last%20line%20doesn't%20know%20about%20it%20-%20maybe%20add%20to%20this%20line%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%7C%20summarize%20denycount%20%3D%20count()%20by%20DeviceAction%2C%20SourceIP%2C%20DestinationIP%2C%20TimeGenerated%3C%2FLINGO-BODY%3E
akshay250692
New Contributor

‎May 12 2022 10:28 AM

‎May 12 2022 10:28 AM

'summarize' operator: Failed to resolve scalar expression named 'TimeGenerated'

Hi Everyone,

I am struggling to define time within query for workbook. My kql is represent 10 deny action followed by 1 allow connection with same external source IP to private destination IP with in 300 second. First deny connection should be Start time and first allow connection should be end time. Source IP should be summarize so we can check how many external source ip successed to make connection with in 24 hours or 48 hours. Please some one help me to get proper result for workbook. when i am running this query below notification occurs:

'summarize' operator: Failed to resolve scalar expression named 'TimeGenerated'

let threshold=10;
let threshold1=1;
let authenticationWindow = 5m;
let a=
CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks" and DeviceProduct =~ "PAN-OS"
| where DeviceAction == "deny"
| where (ipv4_is_private(SourceIP) == 'False' and ipv4_is_private(DestinationIP) == 'True')
| summarize denycount = count() by DeviceAction, SourceIP, DestinationIP
| where denycount >= ["threshold"];
let b=
CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks" and DeviceProduct =~ "PAN-OS"
| where DeviceAction == "allow"
| where (ipv4_is_private(SourceIP) == 'False' and ipv4_is_private(DestinationIP) == 'True')
| summarize allowcount = count() by DeviceAction, SourceIP, DestinationIP
| where allowcount >= ["threshold1"];
a|join kind = inner(b) on SourceIP
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by bin(TimeGenerated, authenticationWindow), SourceIP, DestinationIP, denycount, allowcount

148 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by akshay250692 (New Contributor)
Clive_Watson

‎May 13 2022 04:27 AM

‎May 13 2022 04:27 AM

Solution

Re: 'summarize' operator: Failed to resolve scalar expression named 'TimeGenerated'

You haven't used that Column before in the code above, so the last line doesn't know about it - maybe add to this line?

| summarize denycount = count() by DeviceAction, SourceIP, DestinationIP, TimeGenerated
1 Like
Reply
akshay250692

‎May 13 2022 06:22 AM

‎May 13 2022 06:22 AM

Re: 'summarize' operator: Failed to resolve scalar expression named 'TimeGenerated'

Thanks Clive for ur response. It is not working in ur line i.e. it is running but data is not coming but its working in
| summarize allowcount = count() by DeviceAction, SourceIP, DestinationIP, TimeGenerated
0 Likes
Reply