Problem with log queries

%3CLINGO-SUB%20id%3D%22lingo-sub-918781%22%20slang%3D%22en-US%22%3EProblem%20with%20log%20queries%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918781%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EWhen%20using%20the%20Azure%20Log%20Analytics%20with%20the%20AIP%20Data%20Discovery%20reports%2C%20i'm%20getting%20a%20lot%20of%20fields%20with%20red%20squiggles%20indicating%20that%20they%20are%20not%20being%20recognized%20as%20valid%20field%20names%2C%20has%20anyone%20else%20seen%20this%3F%20why%20would%20this%20be%20happening%3F%20a%20bug%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-918781%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EInformation%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Respected Contributor

When using the Azure Log Analytics with the AIP Data Discovery reports, i'm getting a lot of fields with red squiggles indicating that they are not being recognized as valid field names, has anyone else seen this? why would this be happening? a bug?

2 Replies

@Dean Gross - do you mean when you click the "Log Analytics" button on the Data Discovery report under "Analytics" section of the AIP blade?

 

clipboard_image_0.png

 

When I click that, I see this view in Log Analytics:

 

clipboard_image_1.png

 

Note the red underlines that appear after the line with "hint.strategy".

 

To me, that looks like a malformed query, given that there is also a line space that stops the second half being executed by default.

 

If you remove the line space, and also these lines:

 

| extend uniqeId = iff(Location_s =~ "Endpoint", strcat(MachineName_s, ObjectId_s), ObjectId_s)
| summarize hint.strategy = shuffle arg_max(TimeGenerated, *) by uniqeId
then the red underlines all disappear and the query appears to work much better.

 

clipboard_image_2.png

 

I don't necessarily think it's a bug but I do think the link between the Data Discovery report and Log Analytics hasn't been configured correctly so it initiates the Log Analytics query incorrectly.

 

Someone with better knowledge of Kusto may want to correct me of course!

 

 

@markwarnes Thanks, yes that is what I mean, I had removed the empty line but had not considered removing the other 2 lines, thanks for the tip. 

 

I wonder what the summarize hint.strategy line is doing