Dec 12 2019
- last edited on
Apr 08 2022
I have at least two instances where I receive data in Log Analytics (OfficeActivity from Office 365 via the Azure Sentinel connector) yet, when I try to query it, the table cannot be found:
'take' operator: Failed to resolve table or column expression named 'OfficeActivity'
The connector has been configured several days ago and I know that the logs are received:
While I tried to connect from 3 different ISPs with no luck, it seems that from some locations, the data is accessible so it must be something about these tables being replicated through Azure. I have contributor role to the subscription.
Dec 18 2019 06:22 AM
@Stanislav Zhelyazkov Thank you for the reply. Unfortunately, the issue persists. It seems that the tables that are affected are OfficeActivity and custom logs, weeks after the tables have been created (with data streaming in on regular basis). Just trying to create alerts in Azure Sentinel using these tables is failing as the KQL scripts cannot be validated (since the tables "don't exist"). Some succeed after several tries. One particular subscription is based on South Africa North region and the other in Canada Central so maybe is something about that?
Dec 18 2019 06:28 AM
The only way that you are not seeing these tables could be by two issues:
- You do not have permissions. If you have Contributor permissions on the subscription where the workspace is that shouldn't be problem
- When you have opened Logs blade you scoped it to something else (you can now scope per subscription, resource group or specific resource) instead of the actual workspace resource.
There isn't any replication in Log Analytics workspace happening that could be preventing you from searching (as far as I know) these tables.
Can you describe the steps on how you query the logs?
If none of the above is the problem you might want to open official case to MS support to investigate.