Problem with log queries

When using the Azure Log Analytics with the AIP Data Discovery reports, i'm getting a lot of fields with red squiggles indicating that they are not being recognized as valid field names, has anyone e...

information protection and governance

microsoft information protection

markwarnes

Brass Contributor

Dean_Gross - do you mean when you click the "Log Analytics" button on the Data Discovery report under "Analytics" section of the AIP blade?

When I click that, I see this view in Log Analytics:

Note the red underlines that appear after the line with "hint.strategy".

To me, that looks like a malformed query, given that there is also a line space that stops the second half being executed by default.

If you remove the line space, and also these lines:

| extend uniqeId = iff(Location_s =~ "Endpoint", strcat(MachineName_s, ObjectId_s), ObjectId_s)
| summarize hint.strategy = shuffle arg_max(TimeGenerated, *) by uniqeId

then the red underlines all disappear and the query appears to work much better.

I don't necessarily think it's a bug but I do think the link between the Data Discovery report and Log Analytics hasn't been configured correctly so it initiates the Log Analytics query incorrectly.

Someone with better knowledge of Kusto may want to correct me of course!

Dean_Gross

Silver Contributor

Oct 18, 2019

markwarnes Thanks, yes that is what I mean, I had removed the empty line but had not considered removing the other 2 lines, thanks for the tip.

I wonder what the summarize hint.strategy line is doing

Forum Discussion

Problem with log queries

Share

Resources