Forum Discussion
How to access Null fields in Parsers
Hi,
We are working on creating a custom connector to ingest the data in Azure Sentinel. We are now working on parsers, and we are trying to replicate the data fields as in Splunk. In Splunk, even though if all the values of a particular field, say name, are null in all the events, then that field will be shown null in all the events.
But in Azure if all the events, of a particular field is null, then Azure removes that particular field.
So as we want to replicate fields to as that of parsers, we can't access that particular field, say name, as azure removed that field. So In parser's if we create a new field statically, name="", then that field will be present.
But if the value comes in any 1 event out of 1000's, then this static representation would cause Data Loss.
So, Can someone help me determine how can we import those null fields into our logs, or method can we use to get those null fields, which Azure removed.
5 Replies
- GaryBusheyBronze Contributor
Ronak_Shah Take a look at the KQL command column_ifexists() - Azure Data Explorer | Microsoft Docs
It will check to see if a column exists and, if it does, will return its value, otherwise return a default value
- Ronak_ShahCopper Contributor
Hi, Thanks for your response
Actually, the command column_ifexists(), will be implemented in the parsers, and it will be useful when we actually know the column name. In column_ifexists('column_name',''), it will check if the 'column_name' column is present or not, if not then null value will be added, But this is all possible when we actually know the 'column_name'.
And as Azure has removed the column with null field, so it has actually removed our access to the column_name, So how do we know then what to actually type in the 'column_name' name.
So is their any method in which, we don't allow azure to remove that column's with null fields.- GaryBusheyBronze Contributor
Ronak_Shah Wouldn't the system that is sending the data have a list of the fields it is sending?