cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Kusto Explorer - So Many Tables!

DGMalcolm
Frequent Contributor

‎Apr 29 2023 08:46 AM

‎Apr 29 2023 08:46 AM

Kusto Explorer - So Many Tables!

Hey there!

 

I was looking for a way to manage KQL queries and keep a running tally of the queries I've done so I can step back through the history and figure out how I got where I am. I was hoping for a way to connect my KQL efforts to my GitHub repo. I did some research and found Michel Kamp's article on using Kusto Explorer to do this (https://michelkamp.wordpress.com/2020/08/05/a-better-place-to-handle-your-kql-queries/). I've now set up Kusto Explorer and connected it to my Sentinel environment. However, when I look under the connections I see hundreds of tables with most of them not having any relevance to my Sentinel environment. Actually, most of them are empty. Any idea why I'm seeing all of these non-existent tables? And is there a way to only retrieve tables that actually exist?

 

TIA

~dgm~

Labels:
437 Views
0 Likes
6 Replies
Reply
6 Replies
GBushey

‎May 01 2023 05:33 AM

‎May 01 2023 05:33 AM

Re: Kusto Explorer - So Many Tables!

Most likely there is something that is feeding your ADX environment or those are tables that ADX creates itself. You could look at the Sentinel Repository feature to store your queries (although it may take a little work as it doesn't with directly with log queries).
0 Likes
Reply
DGMalcolm

‎May 03 2023 12:14 PM

‎May 03 2023 12:14 PM

Re: Kusto Explorer - So Many Tables!

I actually don't have any ADX, just Sentinel. That's part of what has me confused.
0 Likes
Reply
GBushey

‎May 11 2023 07:26 AM

‎May 11 2023 07:26 AM

Re: Kusto Explorer - So Many Tables!

There are some tables that are not exposed via the Sentinel UI since they have no useful information.
0 Likes
Reply
DGMalcolm

‎May 11 2023 08:04 AM

‎May 11 2023 08:04 AM

Re: Kusto Explorer - So Many Tables!

@GBusheyI never knew that these were all hiding back there - >450 tables, most of them empty. It's not a big deal as I know which tables I'm working with. I wish there were a way to eliminate the empty tables from the view.

 

Also, haven't found a way to attach the work I'm doing to Git which was my original reason for using Kusto Explorer.

0 Likes
Reply
best response confirmed by DGMalcolm (Frequent Contributor)
laraib-khan

‎May 16 2023 04:48 AM

‎May 16 2023 04:48 AM

Solution

Re: Kusto Explorer - So Many Tables!

There's no automated way to connect KQL or any kind of Sentinel content back to GitHub. The best practice would be to manually copy KQL and paste them using the GitHub desktop + Sublime text or vs code. Otherwise, all efforts will be lost.
0 Likes
Reply
DGMalcolm

‎May 16 2023 08:25 AM

‎May 16 2023 08:25 AM

Re: Kusto Explorer - So Many Tables!

That seems to answer the underlying question. Disappointing but it's what I neede to hear. Thank you.
0 Likes
Reply