cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Watchlists: failed to resolve scalar expression

KevinHemelrijk
Copper Contributor

‎Oct 26 2023 01:42 AM - edited ‎Oct 27 2023 05:43 AM

‎Oct 26 2023 01:42 AM - edited ‎Oct 27 2023 05:43 AM

Watchlists: failed to resolve scalar expression

Hi Techies,

 

We want to use a watchlist inside a KQL query which is supposed to be simple, but we are actually struggling a bit with the following issue "'project' operator: Failed to resolve scalar expression named 'emailAddress'". According to the documentation it should look something like this, but it is not working correctly:

KevinHemelrijk_0-1698309630404.png

Our watchlist looks like this:

KevinHemelrijk_1-1698309694957.png

Sentinel Docs:

KevinHemelrijk_0-1698309907110.png

 

EDIT:

The problem has been solved. We have an invisible space character inside our deployment script which caused the problem. Thanks everyone for helping out, and thanks @Clive_Watson for leading us in the right direction.

 

Labels:
872 Views
0 Likes
7 Replies
Reply
7 Replies
Clive_Watson

‎Oct 26 2023 04:07 AM

‎Oct 26 2023 04:07 AM

Re: Watchlists: failed to resolve scalar expression

If you just query this, does it work? That error is usually the Column name not being found by project (and its case sensitive).

_GetWatchlist('VIPUsers') | project emailAddress

0 Likes
Reply
KevinHemelrijk

‎Oct 26 2023 04:10 AM

‎Oct 26 2023 04:10 AM

Re: Watchlists: failed to resolve scalar expression

@Clive_Watson 

KevinHemelrijk_0-1698318553826.png

Unfortunately that does not work aswell. 

0 Likes
Reply
Clive_Watson

‎Oct 26 2023 04:43 AM

‎Oct 26 2023 04:43 AM

Re: Watchlists: failed to resolve scalar expression

Now try it without the project: _GetWatchlist('VIPUsers')

It seems like the Column is named something other than "emailAddresses"
0 Likes
Reply
KevinHemelrijk

‎Oct 26 2023 04:45 AM

‎Oct 26 2023 04:45 AM

Re: Watchlists: failed to resolve scalar expression

@Clive_Watson 

KevinHemelrijk_0-1698320689654.png

It really is emailAddress ;)

I am starting to think that it is bugged haha

0 Likes
Reply
best response confirmed by KevinHemelrijk (Copper Contributor)
Clive_Watson

‎Oct 26 2023 04:56 AM

‎Oct 26 2023 04:56 AM

Solution

Re: Watchlists: failed to resolve scalar expression

Thats odd. Will any other Column project ok, such as SearchKey?
Maybe there are some control characters or spaces in the original CSV file, or it's corrupted in some way?
0 Likes
Reply
Ulrik_Klepsch

‎Oct 27 2023 05:38 AM

‎Oct 27 2023 05:38 AM

Re: Watchlists: failed to resolve scalar expression

How about something like:
_GetWatchlist('VIPUsers') | Summarize make_set(emailAddress)
0 Likes
Reply
KevinHemelrijk

‎Oct 27 2023 05:44 AM

‎Oct 27 2023 05:44 AM

Re: Watchlists: failed to resolve scalar expression

This was the answer. We had a special "space" character in the script deployment which we didn't notice at first cause it was not visible. But thanks to your answer we started checking this again and we got it! Thanks for your help :)
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by KevinHemelrijk (Copper Contributor)
Clive_Watson

‎Oct 26 2023 04:56 AM

‎Oct 26 2023 04:56 AM

Solution

Re: Watchlists: failed to resolve scalar expression

Thats odd. Will any other Column project ok, such as SearchKey?
Maybe there are some control characters or spaces in the original CSV file, or it's corrupted in some way?

View solution in original post

0 Likes
Reply